blob: e5d7e110f46a4b0904b9430272011b16db0e3447 [file] [log] [blame]
<?xml version="1.0" encoding="ISO-8859-1"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE document [
<!ENTITY project SYSTEM "project.xml">
]>
<?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?>
<document url="changelog.html">
&project;
<properties>
<author email="remm@apache.org">Remy Maucherat</author>
<author email="yoavs@apache.org">Yoav Shapira</author>
<author email="fhanik@apache.org">Filip Hanik</author>
<author email="pero@apache.org">Peter Rossbach</author>
<author email="kkolinko@apache.org">Konstantin Kolinko</author>
<author email="kfujino@apache.org">Keiichi Fujino</author>
<author email="jim@apache.org">Jim Jagielski</author>
<author email="mturk@apache.org">Mladen Turk</author>
<title>Changelog</title>
</properties>
<body>
<!-- Section names:
General, Catalina, Coyote, Jasper, Cluster, Webapps, Other
-->
<section name="Tomcat 5.5.36 (jim)" rtext="">
<subsection name="General">
<changelog>
<update>
Update to Apache Commons Daemon 1.0.9. (markt)
</update>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<fix>
<bug>52641</bug>: Remove mentioning of ldap.jar from docs.
Patch provided by Felix Schumacher. (rjung)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<fix>
<bug>52640</bug>: Correct set the endorsed directory location when using
the Windows installer. (markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.35 (jim)" rtext="released 2012-01-16">
<subsection name="Catalina">
<changelog>
<add>
Make configuration issues for security related Valves and Filters result
in the failure of the valve or filter rather than just a warning
message. (markt)
</add>
<fix>
Ensure changes to the configuration of the RemoteHostValve and the
RemoteAddrValve via JMX are thread-safe. (markt)
</fix>
<update>
In <code>RequestFilterValve</code> (<code>RemoteAddrValve</code>,
<code>RemoteHostValve</code>): refactor value matching logic into
separate method and expose this new method <code>isAllowed</code>
through JMX. (kkolinko)
</update>
<add>
Improve performance of parameter processing for GET and POST requests.
Also add an option to limit the maximum number of parameters processed
per request. This defaults to 10000. Excessive parameters are ignored.
Note that <code>FailedRequestFilter</code> can be used to reject the
request if some parameters were ignored. (markt/kkolinko)
</add>
<add>
New filter <code>FailedRequestFilter</code> that will reject a request
if there were errors during HTTP parameter parsing. (kkolinko)
</add>
<fix>
<bug>52384</bug>: Do not fail with parameter parsing when debug logging
is enabled. (kkolinko, jim)
</fix>
<fix>
Do not flag extra '&amp;' characters in parameters as parse errors.
(kkolinko, jim)
</fix>
<fix>
Slightly improve performance of UDecoder.convert(). Align
<code>%2f</code> handling between implementations. (kkolinko)
</fix>
<fix>
<bug>52225</bug>: Fix ClassCastException when adding an alias for an
existing host via JMX. (kkolinko)
</fix>
<fix>
Do not throw an IllegalArgumentException from a
<code>parseParameters()</code> call when a chunked POST request is too
large, but treat it like an IO error. (kkolinko)
</fix>
<add>
Add SetCharacterEncodingFilter (similar to the one contained in the
examples web application)
to the <code>org.apache.catalina.filters</code> package so it is
available for all web applications. (kkolinko)
</add>
</changelog>
</subsection>
<subsection name="General">
<changelog>
<update>
Update Eclipse compiler to 3.7 and switch to using ecj.jar. (markt)
</update>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Improve multi-byte character handling in all connectors. (rjung)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>52335</bug>: Only handle <code>&lt;\%</code> and not
<code>\%</code> as escaped in template text. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<fix>
<bug>52049</bug>: Improve setup instructions for running as a Windows
service: correct information on how a JRE is identified and selected.
(kkolinko)
</fix>
<update>
<bug>52172</bug>: Update Tomcat build instructions. Includes changes
proposed by bmargulies. (kkolinko)
</update>
<fix>
<bug>52243</bug>: Improve windows service documentation to clarify how
to include <code>#</code> and/or <code>;</code> in the value of an
environment variable that is passed to the service. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<fix>
<bug>52059</bug>: Ensure Windows registry keys are removed when using
the un-install option of the Windows installer. (markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.34 (jim)" rtext="released 2011-09-22">
<subsection name="General">
<changelog>
<update>
Update Tomcat-Native to 1.1.22. (jim)
</update>
<update>
Fix CVE-2011-2729. Update to Commons Daemon 1.0.7. (markt)
</update>
<fix>
<bug>33262</bug>: When using the Windows installer, the monitor is now
auto-started for the current user rather than all users to be consistent
with menu item creation. (markt)
</fix>
<fix>
<bug>40510</bug>: Provide an option within the Windows installer to
create menu entries for the current user or all users. (markt)
</fix>
<fix>
<bug>50949</bug>: Add the ability to specify the AJP port and the
shutdown port when using the Windows installer. (markt)
</fix>
<fix>
<bug>51135</bug>: Fix auto-detection of JAVA_HOME for 64-bit Windows
platforms that only have a 32-bit JVM installed when using the Windows
installer. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix>
<bug>27988</bug>: Improve reporting of missing files. (markt)
</fix>
<fix>
<bug>28852</bug>: Add URL encoding where missing to parameters in URLs
presented by Ant tasks to the Manager application. Based on a patch by
Stephane Bailliez. (mark)
</fix>
<fix>
<bug>41179</bug>: Return 404 rather than 400 for requests to the ROOT
context when no ROOT context has been deployed. (markt)
</fix>
<fix>
<bug>50189</bug>: Once the application has finished writing to the
response, prevent further reads from the request since this causes
various problems in the connectors which do not expect this. (markt)
</fix>
<fix>
Fix CVE-2011-2204. Prevent user passwords appearing in log files if a
runtime exception (e.g. OOME) occurs while creating a new user for a
MemoryUserDatabase via JMX. (markt)
</fix>
<fix>
<bug>51042</bug>: Don&apos;t trigger session creation listeners when a
session ID is changed as part of the authentication process. (markt)
</fix>
<fix>
<bug>51324</bug>: Improve handling of exceptions when flushing the
response buffer to ensure that the doFlush flag does not get stuck in
the enabled state. Patch provided by Jeremy Norris. (kkolinko)
</fix>
<fix>
<bug>51403</bug>: Avoid NullPointerException in JULI FileHandler if
formatter is misconfigured. (kkolinko)
</fix>
<fix>
<bug>51473</bug>: Fix concatenation of values in
SecurityConfig.setSecurityProperty() when the value provided by JRE is
null. (kkolinko)
</fix>
<fix>
<bug>51550</bug>: Internal errors in Tomcat components that process
requests before they are passed to a web application, such as
Authenticators, now return a 500 response rather than a 200 response.
(markt)
</fix>
<add>
CVE-2011-1184: Add additional configuration options to the DIGEST
authenticator. (markt)
</add>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Fix CVE-2011-2526. Protect against crashes (HTTP APR) if sendfile is
configured to send more data than is available in the file. (markt)
</fix>
<fix>
<bug>50394</bug>: Return -1 from read operation instead of throwing an
exception when encountering an EOF with the HTTP APR connector.
(kkolinko)
</fix>
<fix>
<bug>50744</bug>: Skip the SSL configuration check on platforms where an
unbounded socket cannot be created. (kkolinko)
</fix>
<fix>
<bug>51073</bug>: Throw an exception and do not start the APR connector
if it is configured for SSL and an invalid value is provided for
SSLProtocol. (markt)
</fix>
<fix>
<bug>51698</bug>: Fix CVE-2011-3190. Prevent AJP message injection.
(markt)
</fix>
<add>
Detect incomplete AJP messages and reject the associated request if one
is found. (markt)
</add>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>36362</bug>: Handle the case where tag file attributes (which can
use any valid XML name) have a name which is not a Java identifier.
(markt)
</fix>
<fix>
Fix possible threading issue in JSP compilation when development mode is
enabled. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
<bug>48717</bug>: Ensure session activation events are fired. (markt)
</fix>
<fix>
<bug>50771</bug>: Ensure HttpServletRequest#getAuthType() returns the
name of the authentication scheme if request has already been
authenticated. (kfujino)
</fix>
<fix>
<bug>51647</bug>: Fix session replication when a session attribute is a
Java dynamic proxy. Based on a patch by Tomasz Skutnik. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<fix>
<bug>41498</bug>: Add the allRolesMode attribute to the Realm
configuration page in the documentation web application. (markt)
</fix>
<update>
Configure Security Manager How-To to include a copy of the actual
conf/catalina.policy file when the documentation is built, rather
than maintaining a copy of its content. (kkolinko)
</update>
<fix>
<bug>48997</bug>: Fixed some typos and improve cross-referencing to the
HTTP Connector and APR documentation with the SSL How-To page of the
documentation web application. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<fix>
Align jpda settings in catalina.bat with catalina.sh, tc6.0.x, tc7.0.x
and trunk. (markt)
</fix>
<update>
Clarify error messages in *.sh files to mention that if a script is
not found it might be because execute permission is needed. (kkolinko)
</update>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.33 (jim)" rtext="released 2011-02-10">
<subsection name="General">
<changelog>
<fix>
Fix permissions of version.sh in bin tarball. (rjung)
</fix>
<fix>
<bug>45332</bug>, <bug>45852</bug>, <bug>50140</bug>:
Backport numerous improvements to the Windows installer.
Specify the correct encoding (the current Windows code page) rather
than assuming UTF-8 when creating tomcat-users.xml - <bug>45332</bug>,
<bug>45852</bug>.
Update install/uninstall icons. Create an installation log.
Allow 32-bit JVMs to be selected when installing on a 64-bit platform.
Do not ignore install directory if it is specified with the command
line switch on 64-bit platforms - <bug>50140</bug>.
Add support for the <code>/?</code> command line switch.
Replace the .ini files with the script equivalents.
Provide the ability to edit the roles for the added user.
Clean up fully after installation.
Add DetailPrint statements for operations that may take time.
Improve the descriptions of the components.
(kkolinko, mturk, markt)
</fix>
<add>
Add roles (admin-gui, admin-script, manager-gui, manager-script,
manager-jmx, manager-status) to the Manager, Host Manager and Admin
applications to allow more fine-grained control of permissions. The old
roles are deprecated but will still work in the same way. (kkolinko)
</add>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix>
Improve HTTP specification compliance in support of
<code>Accept-Language</code> header. This protects from known exploit
of the Oracle JVM bug that triggers a DoS, CVE-2010-4476. (kkolinko)
</fix>
<fix>
<bug>50620</bug>: Stop exceptions that occur during
<code>Session.endAccess()</code> from preventing the normal completion
of <code>Request.recycle()</code>. (markt/kkolinko)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<update>
Remove <code>JSSE13Factory</code>, <code>JSSE13SocketFactory</code>
classes, as Tomcat 5.5 always runs on JRE 1.4 or later. (kkolinko)
</update>
<fix>
<bug>50325</bug>: When the JVM indicates support for RFC 5746, disable
Tomcat&apos;s <code>allowUnsafeLegacyRenegotiation</code> configuration
attribute and use the JVM configuration to control renegotiation.
(markt/kkolinko)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.32 (jim)" rtext="released 2011-02-01">
<subsection name="General">
<changelog>
<update>
Update to Commons Daemon 1.0.5. (mturk)
</update>
<update>
Update to commons-pool 1.5.5. (markt)
</update>
<fix>
Ensure POM files have correct line endings in source distributions.
(rjung/markt)
</fix>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<add>
<bug>43960</bug>: Expose <code>available</code> property of
StandardWrapper via JMX. (markt)
</add>
<fix>
<bug>50131</bug>: Avoid possible NPE in debug output in PersistentValve.
Patch provided by sebb. (kkolinko)
</fix>
<fix>
<bug>50413</bug>: Ensure 304s are not returned when using static files
as error pages. (markt/kkolinko)
</fix>
<fix>
Avoid unnecessary cast in StandardContext. (markt)
</fix>
<fix>
<bug>50460</bug>: Avoid a possible memory leak caused by using a cached
exception instance. (kkolinko)
</fix>
<fix>
<bug>50550</bug>: When a new directory is created (e.g. via WebDAV)
ensure that a subsequent request for that directory does not result in a
404 response. (markt/kkolinko)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
<bug>47913</bug>: Return the IP address rather than null for
<code>getRemoteHost()</code> with the APR connector if the IP address
does not resolve. (markt)
</fix>
<fix>
<bug>49521</bug>: Disable scanning for a free port in Jk AJP/1.3
connector by default. Do not change maxPort field value of ChannelSocket
in its <code>setPort()</code> and <code>init()</code> methods. Add
support for <code>maxPort</code> attribute on a <code>Connector</code>
element as a synonym for channelSocket.maxPort. (kkolinko)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>49935</bug>: Handle compilation of recursive tag files. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
Improve sending an access message in DeltaManager.
maxInactiveInterval of not Manager but the session is used.
If maxInactiveInterval is negative, an access message is not sending.
(kfujino)
</fix>
<fix>
<bug>50547</bug>: Add time stamp for CHANGE_SESSION_ID message and
SESSION_EXPIRED message. (kfujino)
</fix>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<add>
<bug>50294</bug>: Add more information to documentation regarding format
of configuration files. Patch provided by Luke Meyer. (markt)
</add>
<update>
Improve documentation of database connection factory. (rjung)
</update>
<fix>
Improve filtering of Manager display output. (kkolinko)
</fix>
<update>
Configure the Admin, Manager and Host-Manager web applications to use
HttpOnly flag for their session cookies. (kkolinko)
</update>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.31 (jim)" rtext="released 2010-09-16">
<subsection name="General">
<changelog>
<fix>
Add svn:executable property to some script files and
remove it from non-executable files. (rjung)
</fix>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix>
<bug>38113</bug> Add system property (ALLOW_EMPTY_QUERY_STRING) to allow
spec compliant handling of query string. (markt/kkolinko/jim)
</fix>
<fix>
Return a copy of the URL being used from the webapp class loader, not
the original array. (kkolinko/markt)
</fix>
<fix>
<bug>49749</bug>: Use HttpOnly flag of current context when genrating
a Single-Sign-On cookie. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
<bug>49718</bug>: Fix regression in previous fix for <bug>46984</bug>
caused by the patch being applied to the wrong section of code. The
regression caused HTTP 0.9 requests to fail. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<fix>
<bug>49585</bug>: Update JSVC documentation to reflect new packaging
of Commons Daemon. (markt)
</fix>
<fix>
<bug>49774</bug>: Add support for SSL with either JSSE or APR baaed
connectors to the admin app. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
Add Null check when CHANGE_SESSION_ID message received. (kfujino)
</fix>
</changelog>
</subsection></section>
<section name="Tomcat 5.5.30 (jim)" rtext="released 2010-07-09">
<subsection name="General">
<changelog>
<update>Update to Commons Daemon 1.0.2. Use service launcher (procrun)
from the Commons Daemon release. Do not keep a copy of it in our source
tree. (mturk/kkolinko)</update>
<update>
Update to NSIS 2.46. (kkolinko)
</update>
<update>
Update to Apache Commons DBCP 1.3. (markt)
</update>
<fix>
<bug>48840</bug>: Swallow output (if any) from use of cd when determining
$CATALINA_HOME in catalina.sh and tool-wrapper.sh scripts. Based on patch
provided by mdietze. (markt/kkolinko)
</fix>
<fix>
<bug>49236</bug>: Do not use indexing when packing Tomcat JARs.
(kkolinko)
</fix>
<fix>
<bug>48990</bug>: Build windows distributions correctly on Linux and
add support for the skip.installer property. (kkolinko)
</fix>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix>
Fix CVE-2010-1157. Prevent possible disclosure of host name or IP
address via the HTTP WWW-Authenticate header when using BASIC or DIGEST
authentication. (markt)
</fix>
<fix>
<bug>44041</bug>, <bug>48694</bug>: Fix duplicate class definition
under load. Avoid possible deadlock in class loading.
(markt/kkolinko)
</fix>
<fix>
<bug>47774</bug>: Ensure web application class loader is used when
calling session listeners. (kfujino)
</fix>
<update>
<bug>48179</bug>: Improve error handling when reading or writing
TLD cache file ("tldCache.ser"). (kkolinko)
</update>
<fix>
<bug>49398</bug>: ByteChunk.indexOf(String, int, int, int) could not
find a string of length 1. (kkolinko)
</fix>
<fix>
Ensure all required i18n messages are present for the APR/native
Listener. (kkolinko)
</fix>
<fix>
Fix possible overflows when calculating session statistics. (kkolinko)
</fix>
<fix>
<bug>49424</bug>: Avoid NPE if client provides no data with a chunked
POST request. (markt)
</fix>
<fix>
Minor code cleanup in AccessLogValve and FastCommonAccessLogValve
classes. (kkolinko)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>Arrange filter logic. (jfclere)
</fix>
<fix>
<bug>48613</bug>: Only attempt APR/native connector initialization if
the Listener element has been specified in server.xml. (fhanik/kkolinko)
</fix>
<fix>
<bug>48843</bug>: Prevent possible deadlock and correct queue handling
for worker allocation in APR connectors. (kkolinko)
</fix>
<fix>
Use chunked encoding for http 1.1 responses with no content-length
(regardless of keep-alive) so client can differentiate between complete
and partial responses. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>42390</bug>, <bug>48616</bug>: Fix compilation error with some
nested tag files and simple tags. Do not declare or synchronize
scripting variables for JSP fragments since they are scriptless.
(kkolinko)
</fix>
<fix>
<bug>47878</bug>: Return &#x201C;404&#x201D;s rather than a permanent
&#x201C;500&#x201D; if a JSP is deleted. Make sure first response after
deletion is correct. (markt/kkolinko)
</fix>
<fix>
<bug>48701</bug>: Add a system property to allow disabling enforcement
of JSP.5.3. The specification recommends, but does not require, this
enforcement. (kkolinko)
</fix>
<fix>
<bug>48580</bug>: Prevent AccessControlException when running under a
security manager if the first access is to a JSP that uses a
FunctionMapper. (markt/kkolinko)
</fix>
<fix>
<bug>49196</bug>: Avoid NullPointerException in
PageContext.getErrorData() if an error-handling JSP page is called
directly. (kkolinko)
</fix>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
<bug>48717</bug>: When a node joins a cluster and it receives all the
current sessions, ensure the sessionCreated event is fired if the
Manager is configured to replicate session events. (markt)
</fix>
<fix>
<bug>49170</bug>: Do not send duplicated session. (kfujino)
</fix>
<fix>
<bug>49445</bug>: When session ID is changed after authentication,
ensure the DeltaManager replicates the change in ID to the other nodes
in the cluster. (kfujino)
</fix>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<add>
Backport documentation stylesheet improvements from Tomcat 6:
use CSS styles to provide printer-friendly layout,
support generation of TOC tables,
support links to revision numbers,
use underscores instead of spaces in anchor names. (kkolinko)
</add>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.29 (fhanik)" rtext="released 2010-04-20">
<subsection name="General">
<changelog>
<add>
<bug>37847</bug>: Make location and filename of catalina.out configurable
in catalina.sh. (fhanik/kkolinko)
</add>
<fix>
<bug>47609</bug>: Provide fail-safe EOL conversion for build process.
(sebb/markt/kkolinko)
</fix>
<fix>
<bug>47689</bug>: Enable the test Ant target to work. (markt)
</fix>
<fix>
<bug>47712</bug>: Loading tcnative was broken in 5.5.28. (rjung)
</fix>
<fix>
Correct CVE-2009-3548. When installed via the Windows installer and
using defaults, don't create an administrative user with a blank
password. Additionally, the administrative user is only created if the
manager or host-manager web applications are selected for installation.
(markt/kkolinko)
</fix>
<update>
Deprecate the jni Buffer and Thread classes. (rjung)
</update>
<update>
Include 32-bit and 64-bit versions of Tomcat Native DLLs into the
Windows installer, instead of downloading them from a web site during
install, and allow it to automatically select the correct one for the
current platform. (kkolinko/mturk)
</update>
<update>
Update Windows installer to use NSIS 2.45. (kkolinko)
</update>
<update>
Update to commons-pool 1.5.4. This fixes regressions in 1.5.2. (markt)
</update>
<fix>
Align server.xml installed by the Windows installer with the one
bundled in zip/tar.gz archives. (kkolinko)
</fix>
<fix>
Encode all property files using ascii escaped UTF-8. (rjung)
</fix>
<fix>
Correct MD5 generation in the build process. (kkolinko)
</fix>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix>
<bug>37848</bug>: Re-fix. Don't display info output when there is no
terminal. (markt)
</fix>
<fix>
<bug>39231</bug>: Call LoginModule.logout() when using JAASRealm.
(markt/kkolinko)
</fix>
<fix>
<bug>39844</bug>: Fix NPE when performing a non-HTTP forward.
(billbarker)
</fix>
<fix>
<bug>41059</bug>: Reduce the chances of errors when using
ENABLE_CLEAR_REFERENCES. Patch by Curt Arnold. (markt)
</fix>
<add>
<bug>45255</bug>: Add the ability to change session ID on
authentication to protect against session fixation attacks. This is
disabled by default. (markt/kkolinko)
</add>
<fix>
<bug>46967</bug>: Better handling of errors when trying to use
Manager.randomFile. Based on a patch by Kirk Wolf. (kkolinko)
</fix>
<fix>
<bug>47518</bug>: Correct reference in Valve Javadoc that referred to an
old method. Patch provided by Christopher Schultz. (markt)
</fix>
<fix>
<bug>47537</bug>: Return an error page rather than a zero length 200
response if the forward to the login or error page fails during FORM
authentication. (markt)
</fix>
<fix>
<bug>47718</bug>: Fix file descriptor leak on context stop/reload. Patch
provided by George Sexton. (markt)
</fix>
<fix>
<bug>47826</bug>: Correct error in debug message in
org.apache.catalina.Bootstrap (markt)
</fix>
<fix>
<bug>47963</bug>: Ensure that any HTTP status messages are compliant
with RFC2616. (markt/kkolinko)
</fix>
<fix>
<bug>47997</bug>: Enable the NamingResourcesMBean to work with
non-Server (i.e. Context) containers. Patch provided by Michael Allman.
(markt)
</fix>
<fix>
<bug>48004</bug>: Allow applications to set the Server header. (markt)
</fix>
<fix>
<bug>48007</bug>: Improve exception processing in
CustomObjectInputStream. (kkolinko)
</fix>
<fix>
<bug>48049</bug>: Fix copy and paste error so
<code>NamingContext.destroySubContext()</code> works correctly.
Patch provided by gingyang.xu (markt)
</fix>
<update>
<bug>48097</bug>: Make WebappClassLoader to do not swallow
AccessControlException. (kkolinko)
</update>
<fix>
<bug>48097</bug>: Avoid throwing an AccessControlException which can
lead to a NoClassDefFoundError on first access of first jsp.
(kkolinko/markt)
</fix>
<fix>
<bug>48322</bug>: Single quote characters are not HTTP separators and
should not be treated as such in the cookie handling. (markt)
</fix>
<add>
Provide an option to allow the use of equals characters in cookie
values. (markt)
</add>
<fix>
<bug>48516</bug>: Prevent NPE in JNDIRealm if requested user does not
exist. Patch provided by Kevin Conaway. (markt)
</fix>
<fix>
<bug>48577</bug>: Filter URL when displaying missing included page.
(markt)
</fix>
<fix>
<bug>48760</bug>: Remove race condition that can result in multiple
threads trying to use the same InputStream. (markt)
</fix>
<fix>
Add an additional permission required by JULI when running under newer
JDKs and a security manager. (markt)
</fix>
<fix>
Close resource stream in WebappClassLoader after read error. (pero)
</fix>
<fix>
Do not swallow exceptions in ApplicationContextFacade.doPrivileged()
(kkolinko)
</fix>
<fix>
Various related (un)deploy improvements including: better handling of
failed (un)deployment; adding checking for invalid zip file entries that
don't make sense in a WAR file; and improved validation of WAR file
names. These changes address CVE-2009-2693, CVE-2009-2901 and
CVE-2009-2902.
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
<bug>43327</bug>: Allow APR/native connector to work correctly on
systems when IPv6 is enabled. (markt)
</fix>
<fix>
<bug>46950</bug>: Support SSL renegotiation with APR/native connector.
Note that this requires APR/native 1.1.17 or later. (markt)
</fix>
<fix>
<bug>47225</bug>: Fix error in calculation of a buffer length in the
mapper. (markt)
</fix>
<fix>
<bug>47744</bug>: Prevent a medium term memory leak if using SSl with
the JSSE provider and also using a security manager. Based on a patch by
Greg Vanore. (markt)
</fix>
<fix>
<bug>47987</bug>: Limit size of not found resources cache. (markt)
</fix>
<fix>
<bug>48109</bug>: Ensure InputStream is closed in WebappClassLoader
on error conditions. (markt)
</fix>
<fix>
<bug>48311</bug>: APR should not be initialised if the APR life-cycle
listener is not enabled. (markt)
</fix>
<fix>
<bug>48581</bug>: Avoid security exception on first access. (markt)
</fix>
<fix>
<bug>48584</bug>: Prevent the APR connector logging an error if the
acceptor fails during shutdown since this is expected. (mturk)
</fix>
<fix>
CVE-2009-3555. Provide option to disable legacy SSL renegotiation.
(markt/costin)
</fix>
<fix>
Fix Windows installer to bundle an up-to-date version of native/APR with
it. When asked to install TC-Native it was downloading some very old (1.1.4)
version of it from the HEAnet site. (kkolinko)
</fix>
<update>
Update the native/APR library version bundled with Tomcat to 1.1.20.
(kkolinko)
</update>
<update>
Update recommended version for native to 1.1.19. (rjung)
</update>
<fix>
Remove unneeded line from the method that normalizes decodedURI.
(kkolinko)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>38797</bug>: Fix regression in previous fix for this bug. (markt)
</fix>
<fix>
<bug>41661</bug>: Fix thread safety issue in JspConfig.init() (markt)
</fix>
<fix>
<bug>41824</bug>: Need to use canonical rather than binary form when
writing code. (markt)
</fix>
<fix>
<bug>46907</bug>: Don't swallow input stream when debug logging is
enabled. (markt)
</fix>
<fix>
<bug>48582</bug>: Avoid NPE on background compile. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
DeltaManager needs to replicate changed attributes even if session
gets invalidated. Otherwise session listeners will not see the right
data on the secondary nodes. (rjung)
</fix>
<fix>
Remove unnecessary Java5 dependencies. (markt)
</fix>
<fix>
<bug>46384</bug>: Correct synchronisation issue that could lead to a
cluster member disappering permanently. (markt)
</fix>
<fix>
<bug>47554</bug>: Include httpOnly attribute when re-writing session
cookie after fail over. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<fix>
<bug>41564</bug>: Add some information on installing Tomcat as a service
on operating systems with User Account Control, e.g. Vista. (markt)
</fix>
<fix>
<bug>47656</bug>: Add information to documentation on system property
replacement in configuration files. (markt)
</fix>
<fix>
<bug>47769</bug>: Clarify the JNDI docs with repect to use of
&lt;resource-ref&gt; and related elements, specifically when they are
required and when they may be omitted. (markt)
</fix>
<fix>
<bug>48381</bug>: Add information on how Tomcat treats host names to the
host configuration documentation. (markt)
</fix>
<add>
<bug>48530</bug>: Add information on the Manager Server Status page to
the Manager How-To in the documentation webapp. Based on a patch by
Arnaud Espy. (markt)
</add>
<add>
<bug>48532</bug>: Add information to the BIO/NIO SSL configuration page
in the documentation web application to specify how the defaults for the
various trust store attributes are determined. (markt)
</add>
<fix>
<bug>48686</bug>: Fix deleting a host via the Administration web
application rather than failign with a HTTP 500 response. (markt)
</fix>
<add>
Make changelog.xml be directly rendered as HTML by certain browsers.
(kkolinko)
</add>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.28 (fhanik)" rtext="released 2009-09-04">
<subsection name="General">
<changelog>
<fix>
<bug>39194</bug>: Make the setting of the classpath consistent for the
.sh and .bat startup scripts. (markt/kkolinko)
</fix>
<fix>
<bug>45880</bug>: Include NOTICE file in Windows installer and make sure
src files are excluded. (markt)
</fix>
<update>
Update to NSIS 2.44 (kkolinko)
</update>
<update>
Build scripts: Use different values for ${tomcat-dbcp.home} and
${jasper-compiler-jdt.home} in tomcat-deps. Fix download task
checks for commons-pool and commons-dbcp. (kkolinko)
</update>
<add>
Add the 64-bit windows service binaries to the distribution and get the
Windows installer to automatically select the correct one for the
current platform. (markt/kkolinko)
</add>
<update>
Update to commons-pool 1.5.2. This includes various fixes to prevent
deadlocks, reduce syncs and make object allocation occur fairly - i.e.
objects are allocated to threads in the order that the threads request
them. This fixes a number of issues with the version of DBCP embedded
within Tomcat. (markt)
</update>
<update>
Update Tomcat Windows service application (procrun) to version 2.0.5.
It contains a fix for issue <bug>41538</bug> (mturk)
</update>
<fix>
<bug>47149</bug>: Explicitly specify encoding when performing filtering
during copy, fixcrlf or replace operations in build scripts. Don't add
blank lines to files when fixing line endings. Explicitly specify
encoding when compiling. (kkolinko)
</fix>
<fix>
<bug>47464</bug>: Some class files were accidentally included into the
source distributions of TC 5.5.27. (kkolinko)
</fix>
<docs>
Document that building Tomcat requires Ant 1.6.2 or later. (kkolinko)
</docs>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix>
<bug>37458</bug>: Fix sync error that may lead to NPE in rare
circumstances. Patch by Konstantin Kolinko. (markt)
</fix>
<fix>
<bug>37498</bug>: Fall back to container log if application log is
unavailable during context destruction. (markt)
</fix>
<fix>
<bug>37794</bug>: Handle POSTed parameters when sent with chunked
encoding. (markt)
</fix>
<fix>
<bug>37984</bug>: Strip {MD5} as well as {SHA} if present in digest
passwords in LDAP directories. (markt)
</fix>
<fix>
<bug>38553</bug>: A lack of certificates is normal if a user doesn't
have a certificate. Return a 401 rather than a 400 in this case. (markt)
</fix>
<fix>
<bug>38570</bug>: When checking docBase against appBase, make sure we
check for an exact match against the appBase. (markt)
</fix>
<fix>
<bug>39013</bug>: When testing for an invalid docBase, use an exact
match for the appBase. (markt)
</fix>
<fix>
<bug>39396</bug>: Only include TRACE in an OPTIONS response if we know
it has been enabled. (markt)
</fix>
<fix>
Remove wrong "No role found" realm debug log message,
even if a role was found. (rjung)
</fix>
<fix>
<bug>39997</bug>: Add the SSLRandomSeed option to the
AprLifecycleListener to enable faster starts on development systems.
(markt)
</fix>
<fix>
<bug>40380</bug>: Fix potential synchronization issue in
StandardSession.expire(). (markt)
</fix>
<fix>
<bug>41407</bug>: JAAS Realm now works with CLIENT-CERT authentication.
(markt)
</fix>
<add>
<bug>42419</bug>: Add a system property that enables the name of the
session cookie and session path parameter to be configured. (markt)
</add>
<fix>
<bug>42579</bug>: Support both relative and absolute search results in
the JNDI Realm implementation. Patch provided by Brandon DuRette.
(markt)
</fix>
<fix>
<bug>42707</bug>: Make adding a host alias via JMX take effect
immediately. (markt)
</fix>
<fix>
<bug>43343</bug>: Correctly handle requesting a session we are in the
middle of persisting. Based on a suggestion by Wade Chandler.
(markt/kkolinko)
</fix>
<add>
<bug>44382</bug>: Add support for using httpOnly for session cookies.
This is disabled by default. (markt/fhanik)
</add>
<fix>
<bug>45576</bug>: JAAS Realm now works with DIGEST authentication.
(markt)
</fix>
<fix>
<bug>45628</bug>: JARs that do not declare any dependencies should
always be considered as fulfilled. (markt)
</fix>
<fix>
<bug>45933</bug>: Don't use a web application provided parser to process
TLD files. (markt)
</fix>
<fix>
<bug>45996</bug>: Add Accept-Ranges header to responses from the
DefaultServlet with an option to disable it. (markt)
</fix>
<fix>
<bug>46105</bug>: Correctly set URI encoding when replaying a request
after FORM authentication. (markt)
</fix>
<fix>
<bug>46408</bug>: Correct possible invalid case in SecurityUtil. (markt)
</fix>
<fix>
<bug>46552</bug>: Return a 400 response rather than a 200 response if
the request headers are too large. (markt)
</fix>
<fix>
<bug>46597</bug>: Port all cookie handling changes from Tomcat 6.0.x.
(markt)
</fix>
<fix>
<bug>46606</bug>: Make max depth limit for WebDAV servlet configurable.
(markt)
</fix>
<fix>
<bug>46717</bug>: Fix hard to reproduce thread safety issue with session
expiration. (markt)
</fix>
<fix>
<bug>46982</bug>: Fix DST problem with AccessLogValve. (markt)
</fix>
<fix>
Improve handling of situation where web application tries to configure
logging at the context level but the security policy prevents this.
(markt/rjung)
</fix>
<fix>
Fix an information disclosure vulnerability in a number of the Realms
that allowed user enumeration when using FORM authentication. This is
CVE-2009-0580. (markt)
</fix>
<fix>
Fix various WebDAV compliance issues identified by the Litmus test
suite. (markt)
</fix>
<fix>
Use a better default (webapps) for a Host's appBase. (idarwin/markt)
</fix>
<fix>
<bug>44943</bug>: Reduce copy/paste issues caused by different engine
names in server.xml. (markt, kkolinko)
</fix>
<fix>
Remove obsolete classpath entry for commons-logging from start script.
It is already present in the classpath set by the manifest in bootstrap.jar.
(rjung)
</fix>
<fix>
<bug>38483</bug>: Thread safety issues in AccessLogValve classes. (kkolinko)
</fix>
<add>
Allow log file encoding to be configured for JULI FileHandler. (kkolinko)
</add>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>36923</bug>: Parse deactivated EL expressions correctly. (markt)
</fix>
<fix>
<bug>37084</bug>: Fix JspC compilation with Ant when compiling JSPs that
use a custom taglib. (markt/kkolinko)
</fix>
<fix>
<bug>37515</bug>: Add options for Java 1.6 and 1.7 to the JDT compiler.
(markt)
</fix>
<fix>
<bug>38197</bug>: Fix tag pooling when tags are used with jsp:attribute.
(markt)
</fix>
<fix>
<bug>38352</bug>: Make the directory defined by
javax.servlet.context.tempdir readable for JSPs when running under a
security manager as required by the specification. (markt)
</fix>
<fix>
<bug>38797</bug>: Revert previous fix for <bug>37933</bug> and implement
a new fix that does not have the side effects described in
<bug>38797</bug>.
</fix>
<fix>
<bug>38897</bug>: Add uri of broken TLD to error message to aid
debugging. (markt)
</fix>
<fix>
<bug>41606</bug>: Fix double initialisation of JSPs. Patch provided by
Chris Halstead. (markt)
</fix>
<fix>
<bug>45666</bug>: Fix infinite loop on include. Patch provided by Tom
Wadzinski. (markt)
</fix>
<fix>
<bug>46354</bug>: Fix ArrayIndexOutOfBoundsException when using
org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true. Patch
provided by Konstantin Kolinko. (markt)
</fix>
<fix>
<bug>46909</bug>: Only include semi-colon in type attribute for
&lt;jsp:plugin&gt; when it is required. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
Fix minor memory leak found by find bugs. (markt, rjung)
</fix>
<fix>
<bug>40551</bug>: Enable the JvmRouteBinderValve to work with
PersistentManagers as well as clustering. Patch by Chris Chandler.
(markt)
</fix>
<fix>
<bug>46357</bug>: Corrected test for host's parent must be an engine.
(markt, rjung)
</fix>
<update>
<bug>45317</bug>: Properly log the value of the state transfer timeout flag.
(fhanik, rjung)
</update>
<fix>
<bug>45279</bug>: Properly close multicast socket. (fhanik, rjung)
</fix>
<fix>
<bug>45447</bug>: Add Spanish resource files.
Patch provided by Jesus Marin. (markt, rjung)
</fix>
<fix>
<bug>46990</bug>: Fix synchronization issues in cluster membership
reported by FindBugs. Patch provided by Sebb. (markt, rjung)
</fix>
<fix>
<bug>47389</bug>: DeltaManager doesn't do session replication if
notifySessionListenersOnReplication=false.
Patch by Keiichi Fujino. (fhanik, rjung)
</fix>
<fix>
Separate statistics counter lock in FastAsyncSocketSender from inherited
DataSender lock to reduce blocking during failed node detection. (rjung)
</fix>
<fix>
Handle situation session ID rewriting on fail-over with parallel requests
from the same client. (pero)
</fix>
<fix>
<bug>43641</bug>: Use of bind attribute for membership element breaks
multicast. (rjung)
</fix>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<fix>
Fix CVE-2009-0781. XSS in calendar example. (markt)
</fix>
<fix>
<bug>36574</bug>: Fix broken PDFs. (markt)
</fix>
<fix>
<bug>39603</bug>: Admin app only showed ROOT web application when
clustering was enabled. (markt)
</fix>
<fix>
<bug>47032</bug>: Fix /status/all in Manager webapp when using the
PersistentManager. (markt)
</fix>
<fix>
<bug>47235</bug>: Remove use of autoReconnect from MySQL examples.
(mark)
</fix>
<fix>
<bug>46509</bug>: Use correct link on error page in JSP security
example. Patch provided by Michael Moody. (markt)
</fix>
<fix>
<bug>46562</bug>: Close file when reading has finished when using SSI.
(markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote" >
<changelog>
<fix>
<bug>37869</bug>: Correctly extract client certificates, including the
full certificate chain when using the APR/native HTTP connector. (markt)
</fix>
<fix>
<bug>39637</bug>: Correctly extract client certificates, including the
full certificate chain when using the AJP connectors. Patch by Patrik
Schnellmann. (markt)
</fix>
<update>
Set remote port for AJP connectors from the optional request
attribute AJP_REMOTE_PORT. (rjung)
</update>
<fix>
<bug>45026</bug>: Never return an empty HTTP status reason phrase.
mod_jk and httpd 2.x do not like that. (rjung)
</fix>
<fix>
<bug>45528</bug>: An invalid SSL configuration could cause an infinite
logging loop on startup. (markt)
</fix>
<fix>
<bug>46984</bug>: Reject requests with invalid HTTP methods with a 400
rather than a 501. (markt)
</fix>
<update>
Update the APR/native connector to 1.1.16. (markt, kkolinko)
</update>
<fix>
Correct potential DOS issue in Java AJP connector when processing
invalid request headers. This is CVE-2009-0033. (markt)
</fix>
<fix>
Make DateTool thread safe. (fhanik)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.27 (fhanik)" rtext="released 2008-09-08">
<subsection name="General">
<changelog>
<fix>
<bug>44463</bug>: War file upload in manager webapp fails due to missing
commons-io dependency. Added commons-io 1.4. (rjung)
</fix>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix>
<bug>46770</bug>: Don't send duplicate headers when using flushBuffer(). (rjung)
</fix>
<fix>
<bug>44021</bug>, <bug>43013</bug>: Add support for # to signify multi-level contexts for directories and wars.
</fix>
<fix>
<bug>44494</bug>: Backport from 6.0 (rjung)
</fix>
<fix>
Add additional checks for URI normalization. (remm)
</fix>
<fix>
Don't throw an ArrayIndexOutOfBoundsException when empty URL is
requested. Patch provided by Charles R Caldarale. (markt)
</fix>
<fix>
<bug>29936</bug>: Don't use parser from a webapp to parse web.xml and possibly
context.xml files. (markt)
</fix>
<fix>
<bug>43079</bug>: Correct pattern verification for suspicious URLs.
Patch provided by John Kew. (markt)
</fix>
<fix>
<bug>43080</bug>: Log suspicious URL pattern warnings to the correct
web application. (markt)
</fix>
<fix>
<bug>43117</bug>: Setting an empty workDIR could delete all of
CATALINA_HOME. Patch provided by Takayuki Kaneko. (markt)
</fix>
<fix>
<bug>44282</bug>: Prevent security exception in trace level logging for
web application class loader when running under a security manager.
(markt)
</fix>
<fix>
<bug>44529</bug>: No roles specified (deny all) should take precedence
over no auth-constraint specified (allow-all). (markt)
</fix>
<fix>
<bug>43578</bug>: Enable start on Linux if $CATALINA_HOME contains a
space. Original patch provided by Ray Sauers with improvements by Ian
Ward Comfort. (markt)
</fix>
<fix>
<bug>44673</bug>: Throw IOE if ServletInputStream is closed and a call
is made to any read(), ready(), mark(), reset(), or skip() method as per
javadocs for Reader. (markt)
</fix>
<fix>
Enable the CGIServlet to work with Windows Vista. (markt)
</fix>
<fix>
Add additional permission required to read JDK logging configuration
when running with a security manager. (markt)
</fix>
<fix>
<bug>44943</bug>: Reduce copy/paste issues caused by different engine
names in server.xml. (markt)
</fix>
<fix>
<bug>45195</bug>: Prevent NPE when calling
<code>Session.getAttribute(null)</code> and
<code>Session.removeAttribute(null)</code>. The spec is unclear but this
is a regression from 5.0.x. (markt)
</fix>
<fix>
<bug>45293</bug>: Update name of commons-logging jar in security policy.
(markt)
</fix>
<fix>
<bug>45453</bug>: Fix race condition in JDBC Realm. Based on a patch
provided by Santtu Hyrkk. (markt)
</fix>
<fix>
JAAS Realm did not read role information for users. (markt)
</fix>
<fix>
<bug>46683</bug>: Fix typo in French localisation file name for the
org.apache.catalina.loader package. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<update>
Log errors for AJP signoffs at DEBUG level, since it is harmless if
mod_jk has hung up the phone. (billbarker)
</update>
<fix>
<bug>42727</bug>: Handle request lines that are exact multiples of 4096
in length. Patch provided by Will Pugh. (markt)
</fix>
<fix>
<bug>43191</bug>: Compression could not be disabled for some file types.
Based on a patch by Len Popp. (markt)
</fix>
<fix>
<bug>45591</bug>: Fix NPE on shutdown failure in some cases. Based on a
patch by Matt Passell. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>31257</bug>: Quote endorsed dirs if they contain a space. (markt)
</fix>
<fix>
<bug>42943</bug>: Make sure nested element is inside &lt;jsp:text&gt;
element before throwing exception. (markt)
</fix>
<fix>
<bug>44877</bug>: Prevent collisions in tag pool names. (markt)
</fix>
<fix>
<bug>45015</bug>: Enfore JSP spec rules on quoting in attrbutes. This is
configurable using the system property
<code>org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING</code>.
(markt)
</fix>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<fix>
<bug>42899</bug>: When saving config from admin app, correctly handle
case where the old config file does not exist. (markt)
</fix>
<fix>
<bug>44541</bug>: Document packetSize attribute for AJP connector.
(markt)
</fix>
<fix>
<bug>44715</bug>: Document use of secret for AJP connector. (markt)
</fix>
<update>
<bug>45323</bug>: Add note that context.xml files can only contain a
single Context element. (markt)
</update>
<fix>
Update JNDI datasource docs since maxActive setting for unlimited
changed in commons-pool > 1.2. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Specification">
<changelog>
<fix>
Use a localised error message if a user tries to write a negative length
byte array during default processing of a HEAD request. (markt)
</fix>
<fix>
<bug>44562</bug>: HEAD requests cannot use includes. Patch provided by
David Jencks. (markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.26 (fhanik)" rtext="released 2008-02-05">
<subsection name="General">
<changelog>
<update>
Use Eclipse JDT 3.3.1. (pero)
</update>
<update>
Use new commons download location. (markt)
</update>
<update>
Use commons-launcher 1.1. (markt)
</update>
<update>
Use commons-digester 1.8. (markt)
</update>
<update>
Use Xerces 2.9.1. (markt)
</update>
<update>
Remove usused commons-httpclient. (funkman)
</update>
<update>
Use commons-collections 3.2. (markt)
</update>
<update>
Use commons-fileupload 1.2. (markt)
</update>
<update>
Use MX4J 3.0.2. (markt)
</update>
<update>
Use JUnit 3.8.2. (markt)
</update>
<update>
Use NSIS 2.34. (markt)
</update>
<update>
Use Struts 1.2.9. (markt)
</update>
<update>
Use JAF 1.1.1. (markt)
</update>
<update>
Use JTA 1.1. (markt)
</update>
<update>
Use JavaMail 1.4.1. (markt)
</update>
<update>
Use PureTLS 0.9b5. (markt)
</update>
<update>
Use commons-pool 1.4. (markt)
</update>
<fix>
<bug>43594</bug>: Use setenv from CATALINA_BASE (if set) in preference
to the one in CATALINA_HOME. Patch provided by Shaddy Baddah. (markt)
</fix>
<fix>
Fix CVE-2007-5342 by limiting permissions granted to JULI. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix><bug>38131</bug>: WatchedResource doesn't work if app is outside host appbase webapps.
Patch provided by Peter Lynch (pero)
</fix>
<fix>
Set correct sessionCounter at StandardManager after reload sessions. (pero)
</fix>
<fix>
Fix NPE situation at AccessLogValve (pero)
</fix>
<fix>
<bug>30949</bug>: Improve previous fix. Ensure requests are recycled
on cross-context includes and forwards when an exception occurs in the
target page. (markt)
</fix>
<fix>
<bug>43216</bug>: Set correct StandardSession#accessCount as system property STRICT_SERVLET_COMPLIANCE is true after application restart with SESSION.ser file.
Patch provided by Takayuki Kaneko (pero)
</fix>
<add>
Made session createTime accessible for all SessionManager via JMX (pero)
</add>
<add>
Support logging of all response header values at ExtendedAccessLogValve (ex. add x-O(Set-Cookie) to your pattern). (pero)
</add>
<add>
Support logging of current thread name at AccessLogValve (ex. add %I to your pattern).
Usefull to compare access logging entry later with a stacktraces. (pero)
</add>
<fix>
o.a.juli.ClassLoaderLogManager handle more then one system property replacement at file logging.properties. (pero)
</fix>
<fix>
<bug>43236</bug>: Reset usingWriter and associated flags when response
is reset. (markt)
</fix>
<fix>
<bug>43241</bug>: ServletContext.getResourceAsStream() not spec
compliant. Patch provided by John Kew. (markt)
</fix>
<fix>
<bug>43675</bug>: Fix a possible logging related class loader leak.
(markt)
</fix>
<fix>
<bug>43687</bug>: Remove conditional headers on Form Auth replay, since the UA (esp. FireFox) isn't expecting it. (billbarker)
</fix>
<fix>
Fix bug in CGI Servlet that caused it to fail when a CGI resource was
included in another resource. (markt)
</fix>
<fix>
Cookie handling/parsing changes!
The following behavior has been changed with regards to Tomcat's cookie
handling:<br/>
a) Cookies containing control characters, except 0x09(HT), are rejected
using an InvalidArgumentException.<br/>
b) If cookies are not quoted, they will be quoted if they contain
<code>tspecials(ver0)</code> or <code>tspecials2(ver1)</code>
characters.<br/>
c) Escape character '\\' is allowed and respected as a escape character,
and will be unescaped during parsing.
</fix>
<fix>
<bug>43839</bug>: URL based session tracking fails when session cookie
from parent context is present. Based on a patch by Yuan Qingyun.
(markt)
</fix>
<fix>
<bug>43887</bug>: Include exception in the log message. (markt)
</fix>
<fix>
<bug>43914</bug>: Location headers must be encoded. Patch provided by
Ivan Todoroski. (markt)
</fix>
<fix>
<bug>43957</bug>: Service.bat didn't configure logging correctly.
Patch provided by Richard Fearn. (markt)
</fix>
<fix>
<bug>44041</bug>: Fix duplicate class definition error under load.
(markt)
</fix>
<fix>
<bug>44084</bug>: JASSRealm is broken for application provided
Principals. Patch provided by Noah Levitt. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper" >
<changelog>
<fix>
<bug>43702</bug>: Reduce length of unnecessarily long class names for
the inner helper class when using simple tags. (markt)
</fix>
<fix>
<bug>43757</bug>: Rather than use string matching to work out the line
in the JSP with the error, use the SMAP info and the knowledge that for
a scriptlet there is a one to one line mapping. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
Fix FarmWarDeployer can be only configured at host subelement (pero)
</fix>
<fix>
Fix wrong &amp;&amp; at ReplicationValve (pero)
</fix>
<fix>
DeltaManager sessionCounter must be also increment at relicated sessions. (pero)
</fix>
<add>
Made attribute createTime accessible for all DataSenders. (pero)
</add>
</changelog>
</subsection>
<subsection name="Webapps" >
<changelog>
<fix>
Fix CVE-2007-5461, an important information disclosure vulnerability in
the WebDAV Servlet. (markt)
</fix>
<fix>
<bug>43611</bug>: Provide an error message when trying to upload a WAR
for a context that has been defined in server.xml. (markt)
</fix>
<fix>
<bug>44094</bug>: Add note to docs about side-effects of setting
privileged on a context. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote" >
<changelog>
<fix>
<bug>43479</bug>: Fix memory leak cleaning up sendfile connections.
(markt)
</fix>
<fix>
<bug>43622</bug>: Don't always overwrite min compression size with
default. (markt)
</fix>
<fix>
<bug>43995</bug>: No timeout for sendfile (TODO item had been
forgotten). (markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.25 (fhanik)" rtext="released 2007-09-08">
<subsection name="General">
<changelog>
<docs>
Correct j.u.l log levels in JULI docs. (rjung)
</docs>
<update>
Update to Commons Modeler 2.0.1, fix embed release starting issue. (pero)
</update>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix>
Handle special case of ROOT when re-loading webapp after ROOT.xml has
been modified. In some circumstances the reloaded ROOT webapp had no
associated resources. (markt)
</fix>
<fix>
Fix WebDAV Servlet so it works correctly with MS clients. (markt)
</fix>
<fix>
Remove invalid attribute "encoding" of MBean MemoryUserDatabase,
which lead to errors in the manager webapp JMXProxy output. (rjung)
</fix>
<fix>
Fix XSS security vulnerability (CVE-2007-2450) in the Manager and Host
Manager. Reported by Daiki Fukumori. (markt)
</fix>
<add>
<bug>39055</bug>: Add JMXAdaptorLifecycleListener to start JMX Connector
with fixed naming and data ports. This feature is needed to have stable
remote access when a firewall is active. The adaptor reads all standard
JMX system properties (-Dcom.sun.management.jmxremote.XXX). Currently
only included at src release (uses JDK 1.5 classes).
Feature provided by George Lindholm and Juergen Herrman (pero)
</add>
<fix>
<bug>41722</bug>: Make the role-link element optional (as required by
the spec) when using a security-role-ref element. (markt)
</fix>
<fix>
<bug>42547</bug>: Fix NPE when a ResourceLink in context.xml tries to
override an env-entry in web.xml. (markt)
</fix>
<fix>
<bug>42944</bug>: Correctly handle servlet mappings that use a '+'
character as part of the url pattern. (markt)
</fix>
<fix>
Improve large-file support (more then 4 Gb) at all AccessLogValves. (pero)
</fix>
<update>
<bug>43129</bug>: Support logging of response headers at AccessLogValve (ex. add %{Set-Cookie}o to your pattern). (pero)
</update>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>2500</bug>: FileNotFoundException within a JSP pages resulted in a
404 rather than a 500. (markt)
</fix>
<fix>
<bug>37326</bug>: No error reported when an included page does not
exist. (markt)
</fix>
<fix>
<bug>42643</bug>: Prevent creation of duplicate JSP function mapper
variables. (markt)
</fix>
<fix>
<bug>42314</bug>: Provide compilation error details in cases where the
error can't be mapped back to a source file. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<fix>
Don't write error on System.out, use log() instead. (rjung)
</fix>
<fix>
Fix XSS security vulnerabilities (CVE-2007-2449) in the examples.
Reported by Toshiharu Sugiyama. (markt)
</fix>
<fix>
<bug>39212</bug>: Fix possible NPE in DummyCart example and remove
redundant code. (markt)
</fix>
<fix>
<bug>42979</bug>: Update sample.war to include recent security fixes
in the source code. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Separate sequence increment from getter in ThreadPool to avoid
misleading increments during monitoring via JMX. (rjung)
</fix>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
<bug>40042</bug>: Recovery membership heartbeat after interface down. (pero)
</fix>
<fix>
<bug>42691</bug>: Don't set access time after session sync. Fix that sessions
after node restart better expire. Requested by Casey Lucas (pero)
</fix>
<fix>
Backport Tomcat 6 cluster socket parameter. (pero)
</fix>
<fix>
Fix typo in new MBean attribute which lead to errors in the manager webapp JMXProxy output. (rjung)
</fix>
<fix>
<bug>42689</bug>: No way to timeout new connect attempts for replication sockets.
Patch by Casey Lucas (pero)
</fix>
<fix>
Fix timeout setting on a replicated DeltaSession.
Patch by Alexander Maas (fhanik,pero)
</fix>
<fix>
<bug>42720</bug>: Don't send a message if no cluster member exists.
Patch by Keiichi Fujino (pero)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.24 (fhanik)" rtext="not released">
<subsection name="General">
<changelog>
<update>
Update to Commons DBCP src 1.2.2 (pero)
</update>
<update>
Update to Commons Pool src 1.3 (pero)
</update>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix>
<bug>33774</bug> Retry JNDI authentiction on ServiceUnavailableException
as at least one provider throws this after an idle connection has been
closed. (markt)
</fix>
<fix>
<bug>40593</bug> Cleanup that Listener stop after Manager stop
at StandardContext.stop(). Patch by Suzuki Yuichiro (pero)
</fix>
<fix>
<bug>41747</bug> Correct example ant script for deploy task. (markt)
</fix>
<fix>
<bug>41752</bug> Correct error message on exception in MemoryRealm.
(markt)
</fix>
<fix>
<bug>39875</bug> Minor cleanup in RealmBase.init, as requested by Takayoshi Kimura. (yoavs)
</fix>
<fix>
<bug>41477</bug> Add commons-el.jar to bin/catalina-tasks.xml, required for jasper2 tasks
using EL. Patch by Daniel Santos. (yoavs)
</fix>
<fix>
<bug>40150</bug> Ensure user and role classnames are validated on startup. Patch by
Tom. (yoavs)
</fix>
<fix>
<bug>42039</bug> Log a stack trace if a servlet throws an
UnavailableException. Patch provided by Kawasima Kazuh. (markt)
</fix>
<fix>
<bug>41990</bug> Add some additional mime-type mappings. (markt)
</fix>
<fix>
<bug>41655</bug> Fix message translations. Japanese translations
provided by Suzuki Yuichiro. (markt)
</fix>
<fix>
<bug>41939</bug> Add configuration option to disable nulling of static
and final fields of loaded classes when stopping a web application
classloader. Setting the system property
org.apache.catalina.loader.WebappClassLoader.ENABLE_CLEAR_REFERENCES to
false will stop these fields being set to null on context stop. (markt)
</fix>
<fix>
Fix a logging related memory leak in ManagerBase and
ApplicationDispatcher. (markt)
</fix>
<fix>
<bug>42354</bug>: Ensure JARs in webapps are scanned for TLDs when the
Tomcat installation path contains spaces. (markt)
</fix>
<fix>
<bug>42361</bug>: Handle multi-part forms when saving requests during
FORM authentication process. Patch provided by Peter Runge. (markt)
</fix>
<fix>
<bug>42401</bug>: Update RUNNING.txt with better JRE/JDK information.
(markt)
</fix>
<fix>
<bug>42497</bug>: Ensure ETag header is present in a 304 response.
Patch provided by Len Popp. (markt)
</fix>
<fix>
Allow for a forward/include to call getAttributeNames on the Request in a sandbox. (billbarker)
</fix>
<add>
And getSession() operation to StandardManager and DeltaManager JMX Interface (pero)
</add>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<update>
Update host configuration document for new behaviour for directories
in appBase. (markt)
</update>
<update>
<bug>39883</bug> Add note to context configuration document about using
antiResourceLocking on a webapp outside the Host's appBase directory. (yoavs)
</update>
<update>
<bug>39540</bug> Add link to httpd 2.2 mod_proxy_ajp docs in AJP connector doc. (yoavs)
</update>
<fix>
<bug>41289</bug>: Create configBase, since it is no longer created elsewhere.
Submitted by Shiva Kumar H R. (pero)
</fix>
<fix>
<bug>42103</bug>: Use correct names for truststoreFile, truststoreType and
truststorePass when saving server.xml in Admin webapp. Patch provided by
Matheus Bastos. (markt)
</fix>
<fix>
<bug>42025</bug>: Update valve documentation to refer to correct regular
expression implementation. (markt)
</fix>
<fix>
<bug>41956</bug>: Don't skip the connector address attribute when
persisting server.xml changes via the admin webapp. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
<bug>40960</bug> Inconsistent exception type thrown on socket timeout in
InternalAprInputBuffer. Patch by Christophe Pierret. (yoavs)
</fix>
<add>
<bug>41675</bug> Add a couple of DEBUG-level logging statements to Http11Processors
when sending error responses. Patch by Ralf Hauser. (yoavs)
</add>
<fix>
<bug>42119</bug> Fix return value for request.getCharacterEncoding() when
Content-Type headers contain parameters other than charset. Patch by
Leigh L Klotz Jr. (markt)
</fix>
<fix>
<bug>36155</bug> Always reset the MB when doing getBytes in the JK Connector (billbarker)
</fix>
<fix>
Improve large-file support in the AJP Connectors (billbarker)
</fix>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
Receiver can also use tcpListenAddress with a hostname. (rjung, pero)
</fix>
<fix>
DeltaRequest synchronized getSize() and show log message as
readExternal() failure. (rjung, pero)
</fix>
<add>
Add DeltaManager expireTolerance attribute to quicker auto expire long backup sessions. (rjung, pero)
</add>
<add>
Add DeltaManager updateActiveIntervall attribute to send every 60 sec a session access message. (rjung, pero)
</add>
<fix>
<bug>39866</bug> Duplicate names appended to cluster manager name. (yoavs)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>39425</bug> Add additional system property permission to
catalina.policy for pre-compiled JSPs. (markt)
</fix>
<fix>
<bug>41227</bug> Add a bit of DEBUG-level logging to JspC so users know
which file is being compiled. (yoavs)
</fix>
<fix>
<bug>41869</bug> TagData.getAttribute() should return
TagData.REQUEST_TIME_VALUE when the attribute value is an EL expression.
(markt)
</fix>
<fix>
<bug>42071</bug> Fix IllegalStateException on multiple requests to
an unavailable JSP. Patch provided by Kawasima Kazuh. (markt)
</fix>
<fix>
After a JSP throws an UnavailableException allow it to be accessed once
the unavailable period has expired. (markt)
</fix>
<fix>
<bug>42072</bug> Don't call destroy() if the associated init() fails.
Patch provided by Kawasima Kazuh. (markt)
</fix>
<fix>
Fix a logging related memory leak in PageContextImpl. (markt)
</fix>
<fix>
<bug>42438</bug> Duplicate temporary variables were created when
jsp:attribute was used in conjunction with custom tags. Patch provided
by Brian Lenz. (markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.23 (fhanik)" rtext="released 2007-03-09">
<subsection name="Catalina">
<changelog>
<fix>
<bug>41608</bug> Make log levels consistent when Servlet.service()
throws an exception. (markt)
</fix>
<fix>
<bug>41666</bug> Correct handling of boundary conditions for
If-Unmodified-Since and If-Modified-Since headers. Patch provided by
Suzuki Yuichiro. (markt)
</fix>
<fix>
<bug>41674</bug> Fix error messages when parsing context.xml that
incorrectly referred to web.xml. (markt)
</fix>
<fix>
<bug>41739</bug> Correct handling of servlets with a load-on-startup
value of zero. These are now the first servlets to be started. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Requests with multiple content-length headers are now rejected. (markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.22 (fhanik)" rtext="not released">
<subsection name="General">
<changelog>
<fix>
Fix regression in build that prevented connectors from building.
(markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.21 (fhanik)" rtext="not released">
<subsection name="Catalina">
<changelog>
<fix>
<bug>41401</bug>: StandardService.getConnectorNames() return array of
Connector JMX objectnames. (pero)
</fix>
<fix>
<bug>29727</bug>: If env-entry values in web.xml are changed then
ensure new values are applied when context is reloaded. (markt)
</fix>
<fix>
<bug>34956</bug>: Ensure request and response objects passed to a
RequestDispatcher meet the requirements of SRV.8.2 and
SRV.14.2.5.1. This is disabled by default. The Java option
<code>-Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true</code>
is required to enable this test. (markt)
</fix>
<fix>
<bug>36274</bug>: When including static content with the
DefaultServlet also treat content types ending in xml as text.
(markt)
</fix>
<fix>
<bug>36976</bug>: Don't use CATALINA_OPTS when stopping Tomcat. This
allows options for starting and stopping to be set on JAVA_OPTS and
options for starting only to be set on CATALINA_OPTS. Without this
fix, some startup options (eg the port for remote JMX) would cause
stop to fail. Based on a fix suggested by Michael Vorburger. (markt)
</fix>
<fix>
<bug>37070</bug>: Update mbean name documentation to include the
StandardWrapper. (markt)
</fix>
<fix>
<bug>37356</bug>: Ensure sessions time out correctly. This has been
fixed by removing the accessCount feature by default. This feature
prevents the session from timing out whilst requests that last
longer than the session time out are being processed. This feature
is enabled by setting the Java option
<code>-Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true</code>
The feature is now implemented with synchronization which addresses
the thread safety issues associated with the original bug report.
(markt)
</fix>
<fix>
<bug>37439</bug>: Update documentation for Engine component to add
the requirement that the name must be unique. (markt)
</fix>
<fix>
<bug>37458</bug>: Add syncs to the WebappClassloader to address
rare issues when multiple threads attempt to load the same class
concurrently. (markt)
</fix>
<fix>
<bug>37509</bug>: Do not remove whitespace from the end of values
defined in logging.properties files. (markt)
</fix>
<fix>
<bug>38198</bug>: Add reference to Context documentation from Host
documentation that explains how Context name is obtained from the
Context filename. (markt)
</fix>
<fix>
<bug>39088</bug>: Prevent infinte loops when an exception is thrown
that returns itself for getRootCause(). Based on a patch by Wouter
Zelle. (markt)
</fix>
<fix>
<bug>39436</bug>: Correct MIME type for SVG. (markt)
</fix>
<fix>
<bug>39627</bug>: JULI no longer ignores a ".level=XXX" directive
in logging.properties. Patch provided by Roger Keays and Richard
Fearn. (markt)
</fix>
<fix>
<bug>39724</bug>: Removing the last valve from a pipeline did not
return the pipeline to the original state. Patch provided by
David Gagon. (markt)
</fix>
<fix>
<bug>40367</bug>: Update JK auto configuration documentation to clarify
that workers.properties must also exist. (markt)
</fix>
<fix>
<bug>40524</bug>: HttpServletRequest.getAuthType() now returns
CLIENT_CERT rather than CLIENT-CERT for certificate authentication
as per the spec. Note that web.xml continues to use CLIENT-CERT to
specify the certificate authentication should be used. (markt)
</fix>
<fix>
<bug>40526</bug>: Add support for JPDA_OPTS to catalina.bat and add a
JPDA_SUSPEND environment variable to both startup scripts. Patch
provided by Kurt Roy. (markt)
</fix>
<fix>
<bug>40528</bug>: Add missing message localisations as provided by
Ben Clifford. (markt)
</fix>
<fix>
<bug>40585</bug>: Fix parameterised constructor for o.a.juli.FileHandler
so parameters have an effect. (markt)
</fix>
<fix>
<bug>40625</bug>: Stop CGIServlet swallowing the root cause of an
exception. Patch provided by Takayoshi Kimura. (markt)
</fix>
<fix>
<bug>40723</bug>: Correct table creation example in JavaDoc for
JDBCAccessLogValve. (markt)
</fix>
<fix>
<bug>40802</bug>: Add jsp-api.jar to fileset in catalina-tasks.xml as provided by
Daniel Santos. (pero)
</fix>
<fix>
<bug>40817</bug>: Correct problem where CGI scripts in the root of the
ROOT context threw a <code>StringIndexOutOfBoundsException</code>.
(markt)
</fix>
<update>
Set the <code>SCRIPT_FILENAME</code> environment variable required
by PHP when using the CGIServlet to execute PHP. (markt)
</update>
<fix>
<bug>40823</bug>: Update context doc to clarify use of ROOT.xml,
multi-level context paths and to further discourage use of server.xml
(markt)
</fix>
<fix>
<bug>40844</bug>: Add additional syncs to JDBCRealm to resolve NPE when
two users try to authenticate using DIGEST authentication at the same
time. (markt)
</fix>
<fix>
<bug>40860</bug>: Log exceptions and other problems during parameter
processing. (markt)
</fix>
<fix>
<bug>40901</bug>: Encode directory listing output. Based on a patch
provided by Chris Halstead. (markt)
</fix>
<fix>
<bug>40929</bug>: Correct JavaDoc for StandardCalssLoader. (markt)
</fix>
<fix>
<bug>41008</bug>: Allow POST to be used for indexed queries with CGI
Servlet. Patch provided by Chris Halstead. (markt)
</fix>
<fix>
<bug>41020</bug>: Improve error message when custom error report Valve
fails to load. Also remove requirement that custom error report Valves
extend ValveBase. (markt)
</fix>
<fix>
<bug>41217</bug>: Set secure attribute on SSO cookie when cookie is
created during a secure request. Patch provided by Chris Halstead.
(markt)
</fix>
<fix>
Ensure Accept-Language headers conform to RFC 2616. Ignore them if
they do not. (markt)
</fix>
<fix>
Make provided instances of RequestDispatcher thread safe. (markt)
</fix>
<fix>
Fix formatting of CGI variable SCRIPT_NAME. (markt)
</fix>
<fix>
<bug>34643</bug>: Improved documentation for per-user / per-session clientAuth
usage in SSL Authenticator. Docs provided by jack and Ralf Hauser. (yoavs)
</fix>
<fix>
<bug>40668</bug>: Update release notes and readme files specific to v5.5.20 to
notify users of missing MailSessionFactory in distribution, suggest workarounds,
and link to relevant Bugzilla issue. (yoavs)
</fix>
<fix>
<bug>37977</bug>: adapt BUILDING.txt and net build.xml for SVN. Patch by
Christopher Sahnwaldt. (yoavs)
</fix>
<update>
<bug>39055</bug>: Link to sample workaround code for using JSR160 JMX monitoring
with a local firewall. Thanks to George Lindholm for the patch. (yoavs)
</update>
<update>
<bug>39476</bug>: add xml declaration to most build.xml files, as suggested by
Gregory S. Hoerner Sr. (yoavs)
</update>
<fix>
<bug>40326</bug>: stop using File#deleteOnExit in DefaultServlet to avoid
JVM memory leak, as suggested by quartz. (yoavs)
</fix>
<fix>
<bug>40192</bug>: update setup.html notes regarding Windows tray icon. (yoavs)
</fix>
<fix>
<bug>40177</bug>: add more warnings to documentation about RequestDumperValve
character encoding. (yoavs)
</fix>
<fix>
<bug>39255</bug>: NPE in AuthenticatorBase when logging level is set to DEBUG
and no prinicpal found. (yoavs)
</fix>
<fix>
<bug>41437</bug>: Make log messages and loglevel consistent during Context
start. Patch provided by Suzuki Yuichiro. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
<bug>38332</bug>: Add backlog attribute to ChannelSocket as provided by
Takayoshi Kimura. (pero)
</fix>
<update>
Backport packetSize feature from Tomcat 6.0.x at standard coyote AJP Jk handler. (pero)
</update>
<fix>
<bug>40771</bug>: Fix implementation of
SavedRequestInputFilter.doRead() so POST data may be read using a
Valve or Filter. Patch provided by Michael Dufel. (markt)
</fix>
<fix>
<bug>41017</bug>: Restore behaviour of MessageBytes.setString(null).
(remm/markt)
</fix>
<fix>
<bug>41057</bug>: Modify StringCache to add a configurable upper bound
to the length of cached strings. (remm/markt)
</fix>
<fix>
<bug>38774</bug>: Check javax.net.ssl.keyStorePassword system property as a secondary
source for keystore password in JSSESocketFactory, as suggested by Ted X. Toth. (yoavs)
</fix>
<fix>
<bug>39402</bug>: Modify existing Vary HTTP header, rather than overwrite it, if it
exists when using GZip compression. Patch by Matthew Cooke. (yoavs)
</fix>
<fix>
<bug>40241</bug>: Catch Exceptions instead of Throwables in Default and SSI servlets.
Also improve relevant logging while we're at it. (yoavs)
</fix>
<fix>
<bug>40133</bug>: Better error message when context name is not available on startup,
as suggested by Andreas Plesner Jacobsen. (yoavs)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>39975</bug>: don't have static Log references to prevent
classloader leaks. (yoavs)
</fix>
<fix>
<bug>40104</bug>: When displaying JSP source after an exception, handle
included files. (markt)
</fix>
<fix>
<bug>40797</bug>: This was a regression as a result of the fix for
<bug>33407</bug>. TLD validation was failing as a result of the use
of the escape character (0x1b) as a temporary replacement for \$.
An alternative character (0xe000) from the unicode private use range
is now used. (markt)
</fix>
<fix>
<bug>41057</bug>: Make jsp:plugin output XHTML compliant. (markt)
</fix>
<fix>
<bug>41327</bug>: Show full URI for a 404. Patch provided by Vijay.
(markt)
</fix>
<fix>
<bug>41265</bug>: Allow JspServlet checkInterval init parameter to be
explicitly set to the stated default value of zero by removing the
code that resets it to 300 if explicitly specified as zero. (markt)
</fix>
<fix>
Display the JSP source when a compilation error occurs and display
the correct line number rather than start of a scriptlet block. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<fix>
<bug>34952</bug>: Clarify that the Windows Installer always installs
a Windows service. (markt)
</fix>
<fix>
<bug>35968</bug>: Make environment entry properties input a text area.
Patch provided by Tristan Marly. (markt)
</fix>
<fix>
<bug>37588</bug>: Fix creation of JNDI Realm in admin application. Patch
provided by Terry Zhou. (markt)
</fix>
<fix>
<bug>38048</bug>: Fix memory leak assoaciated with use of expression
language in JSPs. Patch provided by Taras Tielkes. (markt)
</fix>
<fix>
<bug>39572</bug>: Improvements to CompressionFilter example provided by
Eric Hedström. (markt)
</fix>
<update>
<bug>40507</bug>: Update host-manager and servlet-examples web-apps to
use the servlet 2.4 xsd. Patch provided by Chris Halstead. (markt)
</update>
<fix>
<bug>40581</bug>: Add information on the use of a symbloic link as the
docBase for a Context to the Context documentation. (markt)
</fix>
<fix>
<bug>40633</bug>: Remove references to the DefaultContext from the
documentation. (markt)
</fix>
<fix>
<bug>40677</bug>: Update SSL documentation to indicate that PKCS11
keystores may be used. (markt)
</fix>
<fix>
<bug>40714</bug>: Admin webapp no longer requires a username for a
DataSource since it is not required in all cases. (markt)
</fix>
<fix>
<bug>40720</bug>: Fix exception in admin webapp when adding a group to
a user. (markt)
</fix>
<fix>
<bug>40874</bug>: Correct log4j configuration in documentation webapp.
Patch provided by Franck Borel. (markt)
</fix>
<fix>
<bug>40999</bug>: Add trust store configuration for SSL connectors to
the admin webapp. (markt)
</fix>
<fix>
<bug>41051</bug>: Add information on keystore aliases and case
sensitivity to SSL HOW-TO. (markt)
</fix>
<fix>
<bug>41182</bug>: Update the Jasper documentation for the classpath
attribute. (markt)
</fix>
<fix>
<bug>41493</bug>: Fix handling of APR connectors in Admin webapp.
(markt)
</fix>
<fix>
<bug>41512</bug>: Version number was not inserted in release notes.
(markt)
</fix>
<fix>
<bug>40257</bug>: Update Manager webapp howto on remote deployment to reflect
need for explicit path in one specific use-case. Thanks to Venkatesh Jayaraman. (yoavs)
</fix>
<update>
<bug>40160</bug>: add reference to the Filter proposed in this Bugzilla item to the WebdavServlet.
While at it, give the WebdavServlet some long-overdue TLC by cleaning up some of the old data
structures in favor of modern (but still JDK 1.4-compliant) interfaces. (yoavs)
</update>
<docs>
Add a virtual hosting how-to contributed by Hassan Schroeder. (markt)
</docs>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<add>
Add clustered SSO code and backport feature from Tomcat 6.0.x,
submitted by Fabien Carrion (pero)
</add>
<add>
Add better recovery at FastAsyncQueueSender. Made the startegy more robust for temporary connection problems (pero)
</add>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.20 (fhanik)" rtext="released 2006-09-28">
<subsection name="Catalina">
<changelog>
<fix>
Fix logic error in UserDatbaseRealm.getprincipal() that caused user
roles assigned via groups to be ignored. (markt)
</fix>
<fix>
<bug>40518</bug>: Use correct message when a RuntimeException is
thrown from the requestInitialized or requestDestroyed method of
a listener that implements ServletRequestListener. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>31804</bug>: Unnested tags within a tag file are now configured
with the Tag represented by the containing tag file as their parent
tag. (markt)
</fix>
<fix>
<bug>33356</bug>: Tag attributes that contained $ followed by 1 or
more non-special characters and then a { character caused an
exception. (markt)
</fix>
<fix>
<bug>33407</bug>: The string \$ in template text was reduced to $
when the isELIgnored page directive was set to true. (markt)
</fix>
<fix>
<bug>34509</bug>: Tag names may now use the full range of
characters permitted by xsd:nmtoken. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<fix>
<bug>34399</bug>: Disable undeploy for applications that have not
been deployed such as those defined in server.xml (markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.19 (fhanik)" rtext="not released">
<subsection name="General">
<changelog>
<update>
Add multi attribute setting to jmx:set JMX remote ant task.
Patch contributed by Didier Donsez (pero)
</update>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix>
<bug>30762</bug>: Re-fix this bug that was re-introduced by the fix
to <bug>37264</bug>. (markt)
</fix>
<fix>
<bug>37588</bug>: Fix JNDI realm creation through JMX. Patch contributed by TerryZhou (fhanik)
</fix>
<fix>
<bug>39704</bug>: The use of custom classloaders failed when the context
was specified in server.xml. Correction of the fault will require setting
the new loader attribute useSystemClassLoaderAsParent to false. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
<bug>40418</bug>: APR Endpoint socket evaluation (remm)
</fix>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<fix>
<bug>31339</bug>: Admin app threw exceptions if a name other than Catalina
was configured for the Engine. Patch based on a suggestion from Amila
Suriarachchi. (markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.18 (yoavs)" rtext="not released">
<subsection name="General">
<changelog>
<update>
Change MD5 release signature files to have md5 (lowercase) extension instead of MD5 (uppercase),
as suggested by Henk Penning and specified in the
<a href="http://www.apache.org/dev/release-publishing.html">ASF release publishing guidelines</a>. (yoavs)
</update>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix>
Fix that ManagerBase increment expireSessions counter at background task two times. (pero)
</fix>
<fix>
<bug>39406</bug>: Fix that StandardSession#getLastAccessedTime() uses correct exception message,
suggested by Takayoshi Kimura. (pero)
</fix>
<add>
<bug>39661</bug>: Add documentation on JULI FileHandler properties. (yoavs)
</add>
<add>
<bug>39657</bug>: Warn (and don't load jar) if JSP API is in webapp classloader repository, as suggested by
David Sanchez Crespillo. (yoavs)
</add>
<add>
<bug>39674</bug>: Support JRockit JVM in service.bat script, as suggested by lizongbo. (yoavs)
</add>
<fix>
<bug>39711</bug>: Update Loader configuration documentation, as suggested by Stephane Bailliez. (yoavs)
</fix>
<fix>
<bug>39865</bug>: Add Open Office mime types to conf/web.xml. (markt)
</fix>
<fix>
<bug>38814</bug>: Align CGI handling of indexed queries, parameters and
POST content with other CGI providers. The changes: only provide
parameters on the command line for indexed queries; always provide the
query string via the QUERY_STRING environment variable; provide POST
content unmodified to stdin; and never call getParameters(). (markt)
</fix>
<fix>
<bug>34801</bug>: Partial fix that adds handling of IOExceptions during
long running CGI requests. Based on a patch by Chris Davey. (markt)
</fix>
<fix>
<bug>39689</bug>: Allow single quotes (') and backticks (`) as well as
double quotes (") to be used to delimit SSI attribute values. (markt)
</fix>
<fix>
<bug>40053</bug>: Correct application deployment documentation so it
agrees with the classloader documentation regarding shared lib and
CATALINA_BASE. (markt)
</fix>
<fix>
<bug>39592</bug>: Stop HEAD requests for resources handled by SSI
servlet or filter generating stack traces in the logs. (markt)
</fix>
<fix>
Improve handling of the ';' character in the URL so that it is now
allowed if properly %xx encoded. (remm)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Fix APR endpoint so that the acceptor thread now only processes socket
accepts. (remm)
</fix>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<fix>
<bug>39813</bug>: Correct handling of new line characters in JMX
attributes. Patch provided by R Bramley. (markt)
</fix>
<fix>
<bug>37781</bug>: Make sure that StoreConfig save external referenced war files at context.xml correct. (pero)
</fix>
<fix>
<bug>39791</bug>: Use correct default for useNaming within a Context. (markt)
</fix>
<fix>
Correctly generate re-direct for admin app index.jsp to prevent login page
being displayed twice when cookies are disabled. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
<bug>39473</bug>: Session timeout much shorter than setting
at web.xml at cluster environment, suggested by Jin Jiang. (pero)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.17 (yoavs)" rtext="released 2006-04-27">
<subsection name="General">
<changelog>
<update>
Update to Xerces 2.8.0 (remm)
</update>
<update>
Update to tcnative 1.1.3 (remm)
</update>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix>
Fix SingleSignOn Valve and add Session.getLastAccessTimeInternal() without session invalidation test. (pero)
</fix>
<fix>
<bug>38814</bug>: CGIServlet correctly handles Shift_JIS output. (markt)
</fix>
<fix>
Add missing REQUEST_URI environment variable to CGI environment. (markt)
</fix>
<fix>
<bug>27617</bug>: Sync existing mime types with httpd. (keith)
</fix>
<fix>
<bug>38761</bug>: Handle relative symlinks to shell scripts as suggested by Adam Murray (keith)
</fix>
<fix>
<bug>38795</bug>: Associate more closely bind with a finally unbind in StandardContext start and
stop, based on a patch by Darryl Miles (remm)
</fix>
<fix>
Improve undeployment robustness (remm)
</fix>
<update>
Expand the semaphore valve (remm)
</update>
<fix>
<bug>39021</bug>: Add back support for authentication only, submitted by Scott Stark (remm)
</fix>
<fix>
Revert fix for <bug>38113</bug>, which does not seem a legitimate problem, and causes
regressions (remm)
</fix>
<fix>
Correctly reset listeners when reloading a webapp (remm)
</fix>
<fix>
<bug>38194</bug>: Don't fail silently if -force is used without CATALINA_PID, submitted by Matthew Buckett. (yoavs)
</fix>
<fix>
<bug>38154</bug>: Avoid NPE in FileDirContext after webapp undeploy, reported by Jamie Maher. (yoavs)
</fix>
<fix>
<bug>38217</bug>: Added cautionary note about keystore password to SSL HowTo, as suggested by Ralf Hauser. (yoavs)
</fix>
<fix>
<bug>38262</bug>: Cleared ambiguity in host documentation, as suggested by Jeffrey Bennett. (yoavs)
</fix>
<fix>
<bug>38476</bug>: Modified check for null TLD stream, as suggested by Fabrizio Giustina. (yoavs)
</fix>
<fix>
<bug>38052</bug>: Use <i>userName</i> as userField default. User is at many databases a
reserved keyword, as suggested by rik. (pero)
</fix>
<fix>
Fix handling of non matching if-range header (remm)
</fix>
<fix>
<bug>37848</bug>: Only output catalina.sh diagnostic messages if we have a TTY, submitted by
David Shaw. (yoavs)
</fix>
<fix>
<bug>38596</bug>: Minor performance optimization in DataSourceRealm, suggested by Sandy
McArthur. (yoavs)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Make the default cipher suites available for SSL the same as the set of cipher
suites enabled by default rather than the set of all cipher suites. This prevents
ciphers suites that do not provide confidentiality protection and/or server
authentication being used by default. (markt)
</fix>
<fix>
Move AprEndpoint.getWorkerThread inside the try/catch for the main accept loop, to guard
about an OOM (which would most likely doom the server anyway) (remm)
</fix>
<fix>
As exhibited in the ASF's JIRA installation, it seems EINTR is a status code that should
be ignored as a result to a poll call (remm)
</fix>
<update>
New APR connectors defaults (remm)
</update>
<update>
Add multiple threads for APR pollers, to work around Windows limitations (performance degrades
very rapidly if poller sizes over 1024 are allowed when compiling APR) (remm)
</update>
<update>
New modes for firstReadTimeout (-1 being the new default) (remm)
</update>
<update>
Replace java.util.Stack usage with a simple array in the APR endpoint (remm)
</update>
<fix>
tcnative jnilib.c now report correct compile flags for runtime
Library.java checks like sendfile support default true/false (pero)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>38015</bug>: Remove misleading warnings logged in TagLibraryInfoImpl, as suggested by Andrew Houghton. (yoavs)
</fix>
<fix>
<bug>38376</bug>: Make sure body content stack is always properly aligned, as submitted by Tony Deigh. (yoavs)
</fix>
<fix>
Compatibility with JDT 3.2 (remm)
</fix>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<fix>
<bug>39292</bug>: Update catalina.policy at demo balancer app. Fix provided by Kerry Sainsbury (pero)
</fix>
<fix>
<bug>36847</bug>: Fixed the manager app copy function to not overwrite fileA with fileB when fileA==fileB.
Fix provided by Haroon Rafique (fhanik)
</fix>
<fix>
<bug>38508</bug>: Several enhancements to Host Manager application, including configurable
manager app support and dialog box enhancements. Thanks to George Sexton for the patch. (yoavs)
</fix>
<fix>
<bug>37781</bug>: Make sure context config file is writeable, suggested by George Sexton. (yoavs,pero)
</fix>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<update>
Add at PooledSocketSender the jmx attributes inPoolSize and inUsePoolSize. (pero)
</update>
<fix>
DeltaManager set session creationTime at backup node. (pero)
</fix>
<update>
Add JvmRouteBinderValve documentation at cluster-howto.xml. (pero)
</update>
<add>
JvmRouteBinderValve now supports now sessionid's from request and cookies.
Thanks to Brian Stansberry for reporting it. (pero)
</add>
<fix>
<bug>38779</bug> Fix wrong jmx message arg at SimpleTcpCluster
at o.a.c.cluster.tcp.mbeans-descriptors.xml, submitted by Pawel Tucholski (pero)
</fix>
<fix>
Fix that not after every "Keep Alive Socket close" a log warning is generated at TcpReplicationThread (pero)
</fix>
<fix>
<bug>39178</bug>: Now ROOT.war deployment with FarmWarDeployer is possible (pero)
</fix>
<fix>
ReplicationValve not set primarySession flag when all backup nodes gone (pero)
</fix>
<update>
Add DeltaSession.getLastAccessTimeInternal() without session invalidation test. (pero)
</update>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.16 (yoavs)" rtext="released 2006-03-15">
<subsection name="General">
<changelog>
<update>
Updated / enhanced docs to remove old FIXME references. (yoavs)
</update>
<update>
Required tcnative library version upgraded to 1.1.2 (remm)
</update>
<update>
Update to Eclipse JDT 3.1.2 (remm)
</update>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix>
<bug>23950</bug>: Context.listBindings() should return objects not
references. (markt)
</fix>
<fix>
<bug>38124</bug>: Add support for Windows 20xx when reading environment
variables in CGIServlet. (markt)
</fix>
<fix>
<bug>29214</bug>: response.containsHeader() now returns the correct
value for Content-Type and Content-Length headers. (markt)
</fix>
<fix>
Allow using a custom ContextConfig when using JMX embedding of Tomcat, as
is done by the regular deployer. (remm)
</fix>
<add>
Add JMX serverInfo attribute to Server MBean, that we can identify
the tomcat release remotely. (pero)
</add>
<fix>
Fix the JMX MBeanFactory.createStandardHost signature at mbean-descriptors.xml (pero)
</fix>
<fix>
Fix some cases (for example with realm usage) where the container logger for a context
would be retrieved using the wrong classloader (remm)
</fix>
<fix>
HttpSession.getId will no longer throw an ISE when the session is invalid (remm)
</fix>
<fix>
More detailed errors for naming issues (remm)
</fix>
<docs>
Add documentation for the Transaction element (remm)
</docs>
<update>
Add getContextPath to the internal servlet context implementation (remm)
</update>
<fix>
Only null instances loaded by the webapp CL, submitted by Matt Jensen (remm)
</fix>
<update>
Deploy folders which don't have a WEB-INF, and return an error when a context
file does not contain a Context element (remm)
</update>
<fix>
<bug>38653</bug>: Fix property name (remm)
</fix>
<fix>
Slightly modify the timing of the manager start, so that it is not started by a
listener (remm)
</fix>
<fix>
Refresh loggers used by the digester (remm)
</fix>
<fix>
Use sendError instead of setStatus to send the 401 code. (billbarker)
</fix>
<fix>
Don't append the port for an SSL redirect if it is the default port. (billbarker)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Log errors when setting socket options with debug priority rather than error. (remm)
</fix>
<fix>
<bug>38100</bug>: Make certain that a valid Host name is set, or none at all. (billbarker)
</fix>
<fix>
<bug>38485</bug>: Fix minor regression setting connection timeout (as well as linger and
no delay) where the default value was always used when using the regular
HTTP connector (remm)
</fix>
<update>
Pass along more of the SSL related fields to OpenSSL (remm)
</update>
<update>
CharChunk now implements CharSequence (remm)
</update>
<fix>
Fix coding error which could cause a rare crash when a poller error occurred and sockets
where pending being added to the keepalive poller (remm)
</fix>
<fix>
Fix potential sync issues when restarting a poller (remm)
</fix>
<fix>
Update APR error reports, including the error codes (remm)
</fix>
<fix>
<bug>38726</bug>: Remove duplicate request group field causing blank statistics for the
HTTP connector (remm)
</fix>
<fix>
Fix invalid length used by some AJP packets for the AJP APR connector, which could cause
corruption, submitted by Rudiger Plum (jim)
</fix>
<fix>
<bug>38346</bug>: Fix problems with request.getReader().readLine().
Patch by Rainer Jung (billbarker)
</fix>
<update>
Local address reuse for APR Endpoints (via APR_SO_REUSEADDR) now enabled (jim)
</update>
<fix>
Don't write out the shutdown secret file if shutdown is disabled (the default) (billbarker)
</fix>
<fix>
Fix NPE when no sink is supplied. (billbarker)
</fix>
<update>
APR Endpoints now IPv6 aware (jim)
</update>
<update>
Downgrade "Response already committed" logging entry to DEBUG. (billbarker)
</update>
<fix>
<bug>38113</bug>: Return the empty String for an empty query-string instead of null. (billbarker)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>38389</bug>: Set correct JDT Compiler option to java 1.5 compliance.
Patch from Olivier Thomann and Paul Hamer (pero)
</fix>
<update>
Add some useful hints to jasper-howto. (pero).
</update>
<fix>
<bug>38776</bug>: Fix source file attribute, submitted by Olivier Thomann (remm)
</fix>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
Update DeltaManager session access stats (pero)
</fix>
<fix>
DeltaSession getId will no longer throw an ISE when the session is invalid (pero)
</fix>
<update>
Resurrected the &quot;suspect&quot; property so that the logs don't fill
up with errors when member disappears or a connection is lost. Only useful for pooled mode (fhanik)
</update>
<add>
<bug>35710</bug>: Add session replication for cross context session changes.
The portlet api need this support, see refactored ReplicationValve. (pero)
</add>
<update>
ReplicationValve reset DeltaSession when cluster node has no backup node. (pero)
</update>
<update>
DataSender close connection and throw exception also even if waitForAck is false. (pero)
</update>
<fix>
Active cluster junit test again. (pero)
</fix>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<fix>
Fix some XSS issues in the JSP examples. (markt)
</fix>
<fix>
Fix logos in the manager webapp (remm)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.15 (yoavs)" rtext="released 2006-01-21">
<subsection name="General">
<changelog>
<fix>
<bug>32081</bug>: Remove the JDK requirement from the Win32 scripts. (keith)
</fix>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix>
<bug>37852</bug>: Fix regression where the magic role '*' was denying all access. Patch by xrcat (billbarker)
</fix>
<fix>
<bug>37934</bug>: Don't ask for authentication if deny-from-all is in effect. (billbarker)
</fix>
<fix>
<bug>15570</bug>: auth-constraint of * was interpretted as all
authenticated users rather than as all roles defined in web.xml. (markt)
</fix>
<fix>
Remove leftover static logger which was used to log application level messages in
ApplicationContextFacade (remm)
</fix>
<fix>
<bug>38012</bug>: Where a CGI script sets a response code, use it. (markt)
</fix>
<fix>
<bug>37854</bug>: Extension-List checking was too strict. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Report binding errors in the APR endpoint as strings rather than platform specific
status codes (remm)
</fix>
<fix>
<bug>37934</bug>: Don't ask for authentication if deny-from-all is in effect. (billbarker)
</fix>
<fix><bug>38047</bug>: Handle the case where the Servlet attempts to read
the Request body from the AJP/1.3 Connector, in the case that no
body was sent. (billbarker)
</fix>
<fix><bug>38030</bug>: Unconditionally return EOS for an attempt to read
the body of any request that doesn't send CL or TE.
(remm, billbarker).
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>35351</bug>: Fix problem using an inner class for a &lt;jsp:useBean /&gt;. (kinman).
</fix>
<fix>
<bug>37929</bug>: Don't stop on the generic attribute methods just because the session is invalid. Patch by Pierre Delisle. (billbarker)
</fix>
<update>
Add system properties org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER and
org.apache.jasper.runtime.JspFactoryImpl.USE_POOL to allow configuring Jasper
memory usage (remm)
</update>
<fix>
<bug>37933</bug>: Restrict &lt;jsp:getAttribute /&gt; to only look in PAGE_SCOPE. (billbarker)
</fix>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
<bug>37808</bug>: Fix ArrayIndexOutOfBoundsException inside XByteBuffer. Reported by Dietmar Mueller (pero)
</fix>
<update>
<bug>37896</bug>DataSender starts new Socket after IOException. (pero)
</update>
<update>
Reduce memory usage at membership service. (pero)
</update>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.14 (yoavs)">
<subsection name="General">
<changelog>
<update>
Update optional native APR connector version to 1.1.1. (mturk)
</update>
<update>
Update build.properties.default to get native connector from new location. (yoavs)
</update>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix>
<bug>13040</bug>: Fix getContext() when used to obtain a context that is a sub-context
of the current context. Ported from TC4. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>37746</bug>: Remove extra space from StringTokenizer pattern in JspC, as suggested by
Eric Hedstrom. (yoavs)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
<bug>36863</bug>: Strip quotes when parsing Cookie values, even for v0 Cookies. (billbarker)
</fix>
<fix>
<bug>37803</bug>: Don't claim that we have a string value in MessageBytes until we actually do.
Patch by Doug Rand (billbarker)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.13 (yoavs)">
<subsection name="General">
<changelog>
<fix>
<bug>36711</bug>: Unused line of code. (yoavs)
</fix>
<update>
Removed unused SAXPath, Jaxen dependencies. (yoavs)
</update>
<update>
Update log4j dependency to version 1.2.12, Struts to 1.2.7. (yoavs)
</update>
<update>
Removed JDBC 2.0 StdExt dependency (only class from there is javax.sql.XADataSource, which is
present in JDK 1.4 and later. (yoavs)
</update>
<fix>
<bug>37039</bug>: typo on JK Quick configuration how-to. (yoavs)
</fix>
<add>
<bug>37035</bug>: Add a placeholder file in the temp directory for WinZip tar.gz handling. (yoavs)
</add>
<update>
Update JAF dependency to 1.0.2, JTA to 1.0.1b and JavaMail to 1.3.3_01. (markt)
</update>
<add>
Added Eclipse .project, .classpath, and associated files to make building Tomcat from
Eclipse significantly easier. (markt)
</add>
<add>
<bug>37284</bug>: Guess JSE 5.0 location on Mac OS X, patch by Stepan Koltsov. (yoavs)
</add>
<fix>
Wrong class name in antlib.xml for JkStatusUpdateTask. (yoavs)
</fix>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix>
<bug>36802</bug>: Fix problem of double-init when JMX-deploying a
Context into a started Host. (billbarker)
</fix>
<fix>
<bug>36840</bug>: Provide information as to which web.xml is being processed on startup to
help debug parsing errors. (yoavs)
</fix>
<add>
<bug>34724</bug>: Ability to set domain for Single-Sign-On cookie. Patch by Oliver
Rossmueller. (yoavs)
</add>
<fix>
<bug>37044</bug>: RealmBase.hasResourcePermission needs to access the GenericPrincipal as
set by the realm unless hasRole is overriden, which was no longer being done properly for
the JAAS realm (remm)
</fix>
<fix>
<bug>37264</bug>: JNDI resources were no longer available when stopping listeners,
submitted by Bogdan Calmac (remm)
</fix>
<fix>
<bug>37150</bug>: Turn off directory listing by default and add a warning
regarding enabling listing of directories with many entries. (markt)
</fix>
<update>
Add configurability for the amount of time that the container will wait for requests
to complete when unloading servlets, using the unloadDelay property. (remm)
</update>
<update>
Add code to set to null fields in loaded classes when stopping a web application, as a
possible workaround for suspicious garbage collection behavior. (remm)
</update>
<update>
Update messages and stack traces for classloading errors which may occur when removing
a web application, and for stopped web applications. (remm)
</update>
<fix>
<bug>37319</bug>: Fix catalina.bat reference to CATALINA_BASE for logging.properties. Thanks
to Pierre-Yves Benzaken. (yoavs)
</fix>
<fix>
<bug>36852</bug>: Custom classloaders don't honor Contet privileged attribute. Thanks to
Matt Brinkley for the analysis and patch. (yoavs)
</fix>
<fix>Fix for a couple of (mostly silly) edge-cases in testing auth.
Thanks to Nam T. Nguyen for the report. (billbarker)
</fix>
<fix>
<bug>37060</bug>: Actually copy the Request headers when replaying after Form auth. (billbarker)
</fix>
<fix>
<bug>37591</bug>: Typo in Engine configuration reference. (yoavs)
</fix>
<fix>
<bug>37668</bug>: Added note about JSP recompilation to Context configuration documentation. (yoavs)
</fix>
<fix>
<bug>37132</bug>: Have DigestAuthenticator Handle user names with commas. Thanks to
Robert Wille for the patch. (yoavs)
</fix>
<fix>
<bug>37212</bug>: Better error reporting in Connector.java. Thanks to Ralf Hauser for
the patch. (yoavs)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Gracefully handle the case where some Socket options are disabled at
the OS level for the AJP/1.3 Connector. (billbarker)
</fix>
<fix>
<bug>36366</bug>: Use rewritten deployer-howto page by Allistair Crossley. (remm)
</fix>
<add>
<bug>36630</bug>: Added extra log output for class instantiation failure. (yoavs)
</add>
<fix>
<bug>37121</bug>: Sendfile always needs to be given the length of data to write,
which fixes ranged requests. (remm)
</fix>
<fix>
Optimized direct byte buffers association with the socket for APR connectors. (mturk)
</fix>
<fix>
Fix hidden NPEs when using the APR connectors and there's no host header. (pero, remm)
</fix>
<fix>
Http11Protocol now register RequestProcessor at JMX and show current usage inside manager app. (pero)
</fix>
<add>
JkStatus Ant tasks for mod_jk 1.2.15. (pero)
</add>
<update>Connection Timeout is normal, so reduce logging to DEBUG (billbarker)
</update>
<fix>
Fix crash which could occur with the HTTP APR connector when accessing request JMX objects
outside of the processing of the said request (remm)
</fix>
<fix>
<bug>37627</bug>: Fix buffering issue in the HTTP APR connector when a large buffer size was
used for servlets (remm)
</fix>
<fix>
<bug>37673</bug>: Fix implementation of getLocalPort and getLocalAddr in the HTTP APR connector
(remm)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>35252</bug>: Jasper PageDataImpl outputs malformed XML. Patch by Rahul Akolkar. (yoavs)
</fix>
<add>
<bug>37062</bug>: Helpful JSP exception message containing file, line numbers. Patch by
Tim Fennell at http://www.tfenne.com/jasper/. (yoavs)
</add>
<fix>
<bug>37407</bug>: File descriptor leak in JspReader. Thanks to Fred for the patch. I also
did some minor cleanup in the class. (yoavs)
</fix>
<add>
<bug>37612</bug>: Add file location to JSP Validator error message. Thanks to Renaud Bruyeron
for the patch. (yoavs)
</add>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
Fix that session replace messages are logged after node recovery get all session from master node. (pero)
</fix>
<fix>
<bug>37896</bug> Fix that sendMessage signature at all DataSender subclasses must be changed.
Now pooled and async modes working as expected. (pero)
</fix>
<fix>
Fix that socket at o.a.c.cluster.tcp.FastAsyncSocketSender can be disconnect/connect. (pero)
</fix>
<fix>
Fix cluster module build.xml script for new svn repository structure (pero)
</fix>
<fix>
Fix closed socket exceptions at normal server shutdown, reported by Olve Hansen (pero)
</fix>
<fix>
Fix closed socket exceptions inside async message transfer modes (pero)
</fix>
<fix>
<bug>34984</bug>: HttpSessionBindingEvent.getValue() get correct value (pero)
</fix>
<fix>
<bug>35916</bug>: send sessionCreated to SessionListener after cluster node recovery (pero)
</fix>
<fix>
<bug>36541</bug>: Used also Hashtable at DeltaSession (pero)
</fix>
<fix>
Better support cluster at engine level. (pero)
</fix>
<fix>
<bug>36866</bug>: Correct attribute name in conf/server.xml documentation for Cluster element. (yoavs)
</fix>
<fix>
<bug>37261</bug>: Allow xerces to know where the web.xml file is so that relative entities can be resolved.
</fix>
<fix>
<bug>37529</bug>: Fixed race condition in ReplicationLister#stopListening. Thanks to
Chris Walker for the patch. (yoavs)
</fix>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<fix>Remove obsolete TagPlugin file from JSP examples (billbarker)</fix>
<fix>
<bug>36019</bug>: Made clear the Host-Manager HowTo is coming soon, not ready yet. (yoavs)
</fix>
<fix>
<bug>36336</bug>: Check WAR extension in both upper and lower case, as suggested by
A. Grasoff. (yoavs)
</fix>
<fix>
<bug>35982</bug>: Can't delete mail sessions in admin webapp. (yoavs)
</fix>
<fix>
<bug>36673</bug>: Similar to the one above, for data sources. (yoavs)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.12 (yoavs)">
<subsection name="General">
<changelog>
<fix>
Remove uneeded files in conf. (remm)
</fix>
<update>
Change distribution file names from jakarta-* to apache-*. (remm)
</update>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<add>
Add JMX Remote create and unregister ant tasks (pero)
</add>
<fix>
<bug>36343</bug>: Only normalize out backslash on Windows platforms. (billbarker)
</fix>
<fix>
Allow configuring standard stream redirection. (remm)
</fix>
<add>
<bug>36088</bug>: Add RUNNING.txt and RELEASE-NOTES.txt to fulldocs distro. (yoavs)
</add>
<fix>
<bug>36534</bug>: fix equals for URLs returned by ServletContext.getResource() (luehe)
</fix>
<fix>
<bug>36558</bug>: Clear IntrospectionUtils cache when stopping a webapp, as it
could leak to keeping a reference to the classloader (remm)
</fix>
<fix>
<bug>36113</bug>: Session persistence for objects with primitive types could fail in
some rare cases (remm)
</fix>
<fix>
<bug>36541</bug>: Full synchronization for session objects attributes collections (remm)
</fix>
<fix>
<bug>35609</bug>: service.bat echo command when wrong arguments given [patch by Robert
Longson] (yoavs)
</fix>
<fix>
<bug>34749</bug>: jsessionid dropped on trailing slash (/) redirect (remm)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<update>
Add support for secret for AJP APR (remm)
</update>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
Fix NPE with an error message when no Java compiler is available (remm)
</fix>
<fix>
Restrict System err stream capture to the Ant compiler, as the Eclipse compiler
does not need it (remm)
</fix>
<update>
JSP compilation speed improvement using tag library information caching,
submitted by Xingbo Gao (remm)
</update>
<add>
Initial contribution of JSTL tag plugins supporting the core tag library of
JSTL, submitted by Jing Li (remm)
</add>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
<bug>36541</bug>: Sync all session attribute access (read and write) at DeltaSession (pero)
</fix>
<fix>
<bug>36518</bug>: Classname typos for senders, submitted by Christoph Bachhuber-Haller (remm)
</fix>
<add>
<bug>35613</bug>: Added FAQ question and answer about tcpListenAddress="auto" and /etc/hosts (yoavs)
</add>
<update>
Moved FAQ section for Clustering from Clustering HowTo page to its own FAQ page. (yoavs)
</update>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<docs>
<bug>36319</bug>: Fix broken link to DBCP docs, submitted by Xavier Poinsard (remm)
</docs>
<docs>
Brand new deployer specs, submitted by Allistair Crossley (remm)
</docs>
</changelog>
</subsection>
</section>
<section name="Tomcat 5.5.11 (yoavs)">
<subsection name="General">
<changelog>
<update>
Update to Xerces 2.7.1 (remm)
</update>
<add>
Add ready to build bin/tomcat-native.tar.gz for the APR JNI wrapper library (remm)
</add>
<fix>
<bug>35930</bug>: Bad logging config used by the Tomcat Windows service (remm)
</fix>
<add>
<bug>33261</bug>: Windows installer now checks the user type and warns non-admins as needed. (yoavs)
</add>
<update>
The Windows installer will now optionally download a (32bit) Windows .dll for Tomcat native
from HEAnet (remm)
</update>
<fix>
Declaration of jspc Ant task to fix the deployer package (remm)
</fix>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<add>
Add concurrency control valve (o.a.c.valves.SemaphoreValve). As the Tomcat distribution
is not built for Java 5, the valve will have to be compiled from the sources
using Java 5 (remm)
</add>
<fix>
<bug>35880</bug>: Ignore JSSE15SocketFactory when generating JavaDoc, as it breaks
the JDK 1.4 JavaDoc tool. (yoavs)
</fix>
<fix>
<bug>35865</bug>: setclasspath.sh cannot be excutive under cygwin. (funkman)
</fix>
<fix>
<bug>33267</bug>: Set working path in service installer, as suggested by Dominik
Drzewiecki. (yoavs)
</fix>